Open-source GitHub cybersecurity projects, developed and maintained by dedicated contributors, provide valuable tools, frameworks, and resources to enhance security practices.
From vulnerability scanning and network monitoring to encryption and incident response, the following collection encompasses a diverse range of projects that can aid individuals and organizations in safeguarding their digital assets.
The ATT&CK Navigator allows users to navigate and annotate ATT&CK matrices, similar to using Excel. It provides a way to visualize defensive coverage, plan red/blue team activities, and track technique frequency. It enables users to manipulate matrix cells, such as adding comments or color coding.
Its main feature is the ability to create custom views called layers, which offer personalized perspectives of the ATT&CK knowledge base. Layers can be created interactively or programmatically and then visualized using the Navigator.
Cryptomator is an open-source multi-platform that provides client-side encryption for files stored in the cloud.
Unlike many cloud providers, which typically encrypt data only during transmission or retain decryption keys themselves, Cryptomator ensures that only the user possesses the key to their data. This approach minimizes the risk of key theft, copying, or misuse.
Cryptomator also enables users to access their files from any of their devices.
Cutter is a free and open-source reverse engineering platform that utilizes Rizin as its core engine. This enables users to access numerous features either through the graphical user interface (GUI) or the integrated terminal.
Cutter offers a wide range of widgets and features to enhance the comfort of the reverse engineering process. Its releases are fully integrated with the native Ghidra decompiler, eliminating the need for Java.
Dismap is a tool used for asset discovery and identification, specifically for protocols such as web, TCP, and UDP. It detects various asset types and is applicable to both internal and external networks. It assists red team personnel in identifying potential risk assets and supports blue team personnel in detecting suspected fragile assets.
The fingerprint rule base of Dismap encompasses TCP, UDP, and TLS protocol fingerprints, as well as more than 4500 web fingerprint rules. These rules facilitate the identification of elements such as favicon, body, header, and other relevant components.
Faraday is an open-source vulnerability manager designed to assist in discovering vulnerabilities and improving remediation efforts. It helps security professionals by providing a platform to focus on finding vulnerabilities while streamlining the process of organizing their work. Faraday is used through the terminal and allows users to take advantage of community tools in a multiuser environment.
One of the key features of Faraday is its ability to aggregate and normalize the data loaded into it. This enables managers and analysts to explore the data through various visualizations, facilitating a better understanding of the vulnerabilities and aiding in decision-making processes.
Hayabusa is a Windows event log fast forensics timeline generator and threat hunting tool. It is implemented in the Rust programming language and incorporates multi-threading to optimize its speed. The tool includes a feature to convert Sigma rules into Hayabusa rule format.
The detection rules compatible with Hayabusa are written in YAML, allowing for easy customization and extension. Hayabusa can be utilized in various ways, including live analysis on individual systems, offline analysis by collecting logs from single or multiple systems, or in conjunction with Velociraptor for enterprise-wide threat hunting and incident response.
The generated output is consolidated into a single CSV timeline, facilitating analysis in popular tools such as LibreOffice, Timeline Explorer, Elastic Stack, Timesketch, and others.
ImHex is a Hex Editor: a tool to display, decode and analyze binary data to reverse engineer their format, extract informations or patch values in them.
It has many advanced features: a completely custom binary template and pattern language to decode and highlight structures in the data, a graphical node-based data processor to pre-process values before they’re displayed, a disassembler, diffing support, bookmarks and much much more. At the same time ImHex is completely free and open source under the GPLv2 license.
Kubescape is an open-source Kubernetes security platform for IDE, CI/CD pipelines, and clusters. It offers features such as risk analysis, security assessment, compliance checks, and misconfiguration detection.
Kubescape scans various components including clusters, YAML files, and Helm charts. It utilizes multiple frameworks such as NSA-CISA, MITRE ATT&CK, and the CIS Benchmark to identify misconfigurations.
Matano is an open-source cloud-native security lake platform that serves as an alternative to SIEM (security information and event management). It enables threat hunting, detection, response, and cybersecurity analytics at a massive scale of petabytes on the AWS platform.
With Matano, users can gather data using S3 (simple storage service) or SQS (simple queue service) based ingestion methods. It comes with pre-configured sources like CloudTrail, Zeek, and Okta, and also automatically retrieves log data from all your SaaS sources.
Malwoverview is a tool used for threat hunting. It is designed to provide an initial and rapid assessment of malware samples, URLs, IP addresses, domains, malware families, IOCs, and hashes.
It offers the capability to generate dynamic and static behavior reports and allows users to submit and download samples from various endpoints. It serves as a client for established sandboxes, enabling efficient analysis of potential threats.
The Metasploit Framework is a Ruby-based, modular penetration testing platform. It allows users to write, test, and execute exploit code.
It contains a suite of tools used for testing security vulnerabilities, network enumeration, attack execution, and detection evasion.
Essentially, it’s a collection of widely used tools that offer a complete environment for penetration testing and exploit development.
MISP is an open-source software solution used for collecting, storing, distributing, and sharing cyber security indicators and threats related to cyber security incidents and malware analysis. It is specifically designed for incident analysts, security and ICT professionals, or malware reversers to support their day-to-day operations to share structured information efficiently.
The main goal of MISP is to facilitate the sharing of structured information among the security community and beyond. It offers various functionalities to enable the exchange of information and the utilization of such information by network intrusion detection systems (NIDS), log-based intrusion detection systems (LIDS), as well as log analysis tools and SIEM systems.
Nidhogg is a rootkit designed for red teams, offering various functions to support red team engagements. It serves as an all-in-one and user-friendly rootkit that can be easily integrated into your C2 framework using a single header file.
Nidhogg is compatible with x64 versions of Windows 10 and Windows 11. The repository includes a kernel driver and a C++ header file for communication purposes.
RedEye is an open-source analytic tool created by CISA and the Pacific Northwest National Laboratory of the Department of Energy. Its purpose is to support Red Teams in analyzing and reporting command and control activities. It assists operators in evaluating mitigation strategies, visualizing complex data, and making informed decisions based on the findings of a Red Team assessment.
The tool is designed to parse logs, particularly those generated by Cobalt Strike, and present the data in a user-friendly format that is easy to comprehend. Users have the ability to tag and add comments to the activities displayed within the tool, enhancing collaboration and analysis. RedEye also offers a presentation mode that allows operators to showcase their findings and workflow to stakeholders.
SpiderFoot is an open-source intelligence (OSINT) automation tool. It integrates with various data sources and employs diverse data analysis methods, facilitating navigation of the collected information.
It features an embedded web-server that offers a user-friendly web-based interface. Alternatively, it can be operated entirely through the command-line. The tool is coded in Python 3 and released under the MIT license.
System Informer is a free, multi-purpose tool that enables users to monitor system resources, debug software, and detect malware.
It offers the following features:
- Clear overview of running processes and resource usage
- Detailed system information and graphs
- Views and edits services
- Other features useful for debugging and analyzing software
Tink is an open-source cryptography library developed by Google’s cryptographers and security engineers. It offers secure and user-friendly APIs that minimize common errors through a user-centered design approach, careful implementation and code reviews, and thorough testing.
Tink is specifically designed to assist users without a cryptography background in implementing cryptographic tasks securely. It has been deployed in numerous products and systems across Google.
Vuls is a vulnerability scanner designed for Linux, FreeBSD, Container, WordPress, Programming language libraries, and Network devices.
It is an agent-less tool and has the following features:
- Identification of system vulnerabilities
- Provides information on the servers that are affected
- Automated vulnerability detection
- Regular vulnerability reporting using methods like CRON
Wazuh is a free and open-source platform that offers threat prevention, detection, and response capabilities. It can be used to protect workloads in various environments, including on-premises, virtualized, containerized, and cloud-based setups.
It has two main components: an endpoint security agent and a management server. The endpoint security agent is installed on the systems being monitored, and it is responsible for collecting security-related data. The management server receives the data collected by the agents and performs analysis on it.
It has been fully integrated with the Elastic Stack, providing a search engine and data visualization tool. This integration allows users to navigate through their security alerts and gain insights from the collected data.
x64dbg is an open-source binary debugger designed for Windows operating systems. It focuses on the analysis of malware and reverse engineering of executable files when the source code is not available.
Key features of x64dbg include:
- Customizability: Users can write plugins in C++, customize colors, and adjust preferences according to their needs.
- x64/x32 support: It can handle both x64 and x32 applications, providing a unified interface for debugging.
- Built on open-source libraries: x64dbg uses Qt, TitanEngine, Zydis, Yara, Scylla, Jansson, lz4, XEDParse, asmjit and snowman.
- Simple development: The software is developed using C++ and Qt, enabling efficient addition of new features.
- Scriptability: x64dbg has an integrated and debuggable ASM-like scripting language.
- Community awareness: Many features of x64dbg have been conceived or implemented by the reverse engineering community.
- Extensibility: Users can create plugins to add custom script commands or integrate external tools.