Free Cybersecurity Services and Tools

As part of our continuing mission to reduce cybersecurity risk across U.S. critical infrastructure partners and state, local, tribal, and territorial governments, CISA has compiled a list of free cybersecurity tools and services to help organizations further advance their security capabilities. This living repository includes cybersecurity services provided by CISA, widely used open source tools, and free tools and services offered by private and public sector organizations across the cybersecurity community. CISA will implement a process for organizations to submit additional free tools and services for inclusion on this list in the future.

The list is not comprehensive and is subject to change pending future additions. CISA applies neutral principles and criteria to add items and maintains sole and unreviewable discretion over the determination of items included. CISA does not attest to the suitability or effectiveness of these services and tools for any particular use case. CISA does not endorse any commercial product or service. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by CISA.

Foundational Measures

All organizations should take certain foundational measures to implement a strong cybersecurity program:

  • Fix the known security flaws in software. Check the CISA Known Exploited Vulnerabilities (KEV) Catalog for software used by your organization and, if listed, update the software to the latest version according to the vendor’s instructions. Note: CISA continually updates the KEV catalog with known exploited vulnerabilities.
  • Implement multifactor authentication (MFA). Use multifactor authentication where possible. MFA is a layered approach to securing your online accounts and the data they contain. When you enable MFA in your online services (like email), you must provide a combination of two or more authenticators to verify your identity before the service grants you access. Using MFA protects your account more than just using a username and password. Why? Because even if one factor (like your password) becomes compromised, unauthorized users will be unable to meet the second authentication requirement, ultimately stopping them from gaining access to your accounts.
  • Halt bad practicesTake immediate steps to: (1) replace end-of-life software products that no longer receive software updates; (2) replace any system or products that rely on known/default/unchangeable passwords; and (3) adopt MFA (see above) for remote or administrative access to important systems, resources, or databases.
  • Sign up for CISA’s Cyber Hygiene Vulnerability Scanning. Register for this service by emailing Once initiated, this service is mostly automated and requires little direct interaction. CISA performs the vulnerability scans and delivers a weekly report. After CISA receives the required paperwork, scanning will start within 3 business days, and organizations will begin receiving reports within two weeks. Note: vulnerability scanning helps secure internet-facing systems from weak configurations and known vulnerabilities and encourages the adoption of best practices.
  • Get your Stuff Off Search (S.O.S.). While zero-day attacks draw the most attention, frequently, less complex exposures to both cyber and physical security are missed. Get your Stuff Off Search–S.O.S.–and reduce internet attack surfaces that are visible to anyone on web-based search platforms.

Free Services and Tools

After making progress on the measures above, organizations can use the free services and tools listed below to mature their cybersecurity risk management. These resources are categorized according to the four goals outlined in CISA Insights: Implement Cybersecurity Measures Now to Protect Against Critical Threats:

  1. Reducing the likelihood of a damaging cyber incident;
  2. Detecting malicious activity quickly;
  3. Responding effectively to confirmed incidents; and
  4. Maximizing resilience.


Reducing the Likelihood of a Damaging Cyber Incident

Service Skill Level Owner Description Link
FortifyData Basic FortifyData Quarterly vulnerability assessments that include automated attack surface assessments with asset classification, risk-based vulnerability management and security rating. The FortifyData all-in-one cyber risk management platform also offers third party cyber risk management.   Free Plan - FortifyData                  
OpenVAS Basic Greenbone This is a vulnerability scanner and capabilities include unauthenticated and authenticated testing, various high-level and low-level internet and industrial protocols, performance tuning for large-scale scans and a powerful internal programming language to implement any type of vulnerability test. OpenVAS - Open Vulnerability Assessment Scanner
Network Reporting Basic ShadowServer A subscription service that sends custom remediation reports to inform organizations about the state of its networks and security exposures. Network Reporting | The Shadowserver Foundation
Vulcan Cyber Basic Remedy Cloud A searchable database of remedies and fixes for thousands of known vulnerabilities. It also provides highlight trend analytics such as “most-searched CVEs” and “most-visited vulnerability remedies.”
Ransomware Risk Assessment Basic Zscaler This service assesses an organization’s ability to counteract a ransomware infection and its spread, but also to resume operations in case of an infection. This tool scans defenses against ransomware-specific intrusion, lateral movement, and exfiltration methods. It is safe to use and runs within the browser.
Internet Threat Exposure Analysis Basic Zscaler This tool analyzes an organization's environment to cyber risk posture. It scans security stack to find common intrusion and data exfiltration methods left exposed. It is safe to use and runs within the browser. It won’t introduce malware, and doesn’t access data or change settings. Free, Instant Security Scan - It's 100% Safe | Zscaler
CISA Cybersecurity Publications Basic CISA CISA provides automatic updates to subscribers via email, RSS feeds, and social media. Subscribe to be notified of CISA publications upon release.
CISA Vulnerability Scanning Basic CISA This service evaluates external network presence by executing continuous scans of public, static IPs for accessible services and vulnerabilities. It provides weekly vulnerability reports and ad-hoc alerts. See for details. Email:
Immunet Antivirus Basic Cisco Immunet is a malware and antivirus protection system for Microsoft Windows that utilizes cloud computing to provide enhanced community-based security.
Cloudflare Unmetered Distributed Denial of Service Protection Basic Cloudflare Cloudflare DDoS protection secures websites, applications, and entire networks while ensuring the performance of legitimate traffic is not compromised.
Cloudflare Universal Secure Socket Layer Certificate Basic Cloudflare SSL (Secure Socket Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. Cloudflare allows any internet property to use SSL with the click of a button.
Microsoft Defender Application Guard Basic Microsoft This capability offers isolated browsing by opening Microsoft Edge in an isolated browsing environment to better protect the device and data from malware.
Controlled folder access/Ransomware protection in Windows Basic Microsoft Controlled folder access in Windows helps protect against threats like ransomware by protecting folders, files, and memory areas on the device from unauthorized changes by unfriendly applications.
Microsoft Defender Antivirus Basic Microsoft This tool is used to protect and detect endpoint threats including file-based and fileless malware. Built into Windows 10 and 11 and in versions of Windows Server.
Cybersecurity Evaluation Tool (CSET) and On-Site Cybersecurity Consulting Basic CISA This tool assists organizations in protecting their key national cyber assets. The tool provides users with a systematic and repeatable approach to assessing the security posture of their cyber systems and networks. It includes both high-level and detailed questions related to all industrial control and IT systems.
CIS Hardware and Software Asset Tracker Basic Center for Internet Security This tool is designed to help identify devices and applications. The spreadsheet can be used to track hardware, software, and sensitive information.
PGP Basic Open Source This tool encrypts emails with public key cryptography.
BitLocker for Microsoft Windows Basic Microsoft This tool encrypts Microsoft Windows systems.
AdBlock Basic Open Source This tool blocks pop-up ads, videos and other unwanted content whilst browsing.
Quad9 for Android Basic Open Source This tool for Android devices is designed to help block users from accessing known sites that have viruses or other malware.
Quad9 Basic Open Source This tool is designed to prevent computers and devices from connecting to malware or phishing sites.
Google Safe Browsing Basic Google This toolset identifies known phishing and malware across the web and helps notify users and website owners of potential harm. It is integrated into many major products and provides tools to webmasters.
Project Shield Basic Google Jigsaw Project Shield is a free service that defends news, human rights, and election monitoring sites from DDoS attacks
Google reCAPTCHA Basic Google reCAPTCHA uses an advanced risk analysis engine and adaptive challenges to keep malicious software from engaging in abusive activities on a user's website.
Web Risk Basic Google Web Risk API is a User Protection Service from Google Cloud designed to reduce the risk of threats targeting user generated content. Web Risk API lets organizations compare URLs in their environment against a repository of over 1 million unsafe URLs.
Google Security Command Center Basic Google This tool helps users strengthen their security posture by evaluating their security and data attack surface; providing asset inventory and discovery; identifying misconfigurations, vulnerabilities and threats; and helping them mitigate and remediate risks.
Google OSS-Fuzz Basic Google OSS-Fuzz aims to make common open source software more secure and stable by combining modern fuzzing techniques with scalable, distributed execution.
Santa Basic Open Source Santa is a binary authorization system for macOS.
Go Safe Web Basic Open Source Go Safe Web is a collection of libraries for writing secure-by-default HTTP servers in Go.
Open Source Vulnerabilities (OSV) Basic Open Source OSV is a vulnerability database and triage infrastructure for open source projects aimed at helping both open source maintainers and consumers of open source.
Open Source Insights Basic Open Source Open Source Insights is a searchable dependency graph with vulnerability information.
AllStar Basic Open Source AllStar is a GitHub application for enforcing security policies and permissions.
Security Scorecards Basic Open Source Security Scorecards is a collection of security health metrics for open source, allowing users to evaluate the security practices of an open source package before use. Results available publicly as a Google Cloud Big Query Dataset.
Tink Basic Open Source Tink is a multi-language, cross-platform, open-source library that provides cryptographic APIs that are secure, easy to use correctly, and hard(er) to misuse.
Google Cybersecurity Action Team Basic Google This service provides a number of security resources including security blueprints, whitepapers, threat reports, and information regarding recent vulnerabilities.
Tsunami Security Scanner Basic Open Source Tsunami is a general purpose network security scanner with an extensible plugin system for detecting high severity vulnerabilities with high confidence.

OpenDNS Home

Basic Cisco OpenDNS blocks phishing websites that try to steal your identity and login information by pretending to be a legitimate website.

Continuous Monitoring & Security Ratings

Basic SecurityScorecard Security ratings provide an objective, data-driven view of your company's cybersecurity risk exposure and cybersecurity hygiene, which are quantified and scored in an easy-to-understand A-F (0-100) cyber security rating. Free Security Rating | SecurityScorecard
Binary Edge Basic Binary Edge This tool continuously collects and correlates data from internet accessible devices, allowing organizations to see what is their attack surface and what they are exposing to attackers. No-cost offering is limited to one user and limited monthly scans. BinaryEdge Portal
Atomic Red Team Basic Open Source Atomic Red Team™ is a PowerShell-based execution framework and provides a library of simple tests that every security team can execute to test their defenses. Tests are focused, have few dependencies, and are defined in a structured format that can be used by automation frameworks. Note: Use of this tool could make it more difficult for some organizations to identify malicious PowerShell usage. Meet the Atomic Family | Atomic Red Team
CrowdStrike CRT Advanced CrowdStrike CRT is a free community tool designed to help organizations quickly and easily review excessive permissions in their Azure AD environments. CRT helps determine configuration weaknesses and provides advice to mitigate this risk.
Tenable Nessus Essentials Advanced Tenable This free version of a vulnerability assessment solution includes remote and local (authenticated) security checks, a client/server architecture with a web-based interface, and an embedded scripting language for writing your own plugins or understanding existing ones. Limited by default to 16 hosts.
Alien Labs Open Threat Exchange (OTX) Endpoint Security Advanced AT&T Cybersecurity This tool leverages data from Alien Labs OTX to help identify if endpoints have been compromised in major cyberattacks. Provides quick visibility into threats on all endpoints by scanning IOCs using OTX.
Alien Labs Open Threat Exchange (OTX) Advanced AT&T Cybersecurity OTX provides open access to a global community of threat researchers and security professionals. It delivers community-generated threat data, enables collaborative research, and automates the process of updating security infrastructure with threat data from any source. OTX enables anyone in the security community to actively discuss, research, validate, and share the latest threat data, trends, and techniques.
ClamAV Advanced Cisco ClamAV is an open-source (general public license [GPL]) antivirus engine used in a variety of situations, including email and web scanning, and endpoint security. It provides many utilities for users, including a flexible and scalable multi-threaded daemon, a command-line scanner, and an advanced tool for automatic database updates.
Kali Linux Penetration Testing Platform Advanced Kali Linux Project Kali Linux contains several hundred tools targeted toward various information security tasks, such as penetration testing, security research, computer forensics, and reverse engineering.
Cloudflare Zero Trust Services Advanced Cloudflare Cloudflare Zero Trust Services are essential security controls to keep employees and apps protected online across 3 network locations and up to 50 users. Services include: Zero Trust Network Access; Secure Web Gateway, Private Routing to IP/Hosts; HTTP/S Inspection and Filters; Network Firewall as a Service; DNS Resolution and Filters; and Cloud Access Security Broker.
Microsoft Sysinternals Security Utilities Advanced Microsoft Sysinternals Security Utilities are free, downloadable tools for diagnosing, troubleshooting, and deeply understanding the Windows platform.
Memory integrity Advanced Microsoft Memory integrity in Windows—also known as Hypervisor-protected code integrity (HVCI)—is a Windows security feature that makes it difficult for malicious programs to use low-level drivers to hijack computers.
RiskIQ Community Advanced Microsoft The RiskIQ community offers free access to internet intelligence, including thousands of OSINT articles and artifacts. Community users can investigate threats by pivoting through attacker infrastructure data, understand what digital assets are internet-exposed, and map and monitor their external attack surface.
IBM X-Force Exchange Advanced IBM IBM X-Force Exchange is a cloud-based threat intelligence platform that allows users to consume, share, and act on threat intelligence. It enables users to conduct rapid research of the latest global security threats, aggregate actionable intelligence, consult with experts, and collaborate with peers.
Mandiant Attack Surface Management Advanced Mandiant This early warning system for information security allows you to: create comprehensive visibility through graph-based mapping; know when assets change to stay ahead of the threat; and empower security operations to mitigate real-world threats.
Mandiant Threat Intelligence Advanced Mandiant Free access to the Mandiant Threat Intelligence Portal helps users understand recent security trends, proactively hunt threat actors, and prioritize response activities.
Splunk Synthetic Adversarial Log Objects (SALO) Advanced Splunk SALO is a framework for generating synthetic log events without the need for infrastructure or actions to initiate the event that causes a log event.
Splunk Attack Detection Collector (ADC) Advanced Splunk This tool simplifies the process of collecting MITRE ATT&CK® techniques from blogs or PDFs and mapping ATT&CK TTPs to Splunk detection content.
Splunk Attack Range Advanced Splunk This tool enables simulated attacks in a repeatable cloud-enabled (or on-premises) lab with a focus on Atomic Red Team integration.
Splunk Training Advanced Splunk Splunk Training is a free, hosted platform for on-demand training with hands-on practice addressing specific attacks and realistic scenarios.
VMware Carbon Black User Exchange Advanced VMware Carbon Black User Exchange provides access to real-time threat research data shared by a global community of security professionals.
Carbon Black TAU Excel 4 Macro Analysis Advanced VMware This tool tests endpoint security solutions against Excel 4.0 macro techniques.
Paros Proxy Advanced Open Source This Java-based tool is used to find vulnerabilities in web applications. It includes a web traffic recorder, web spider, hash calculator, and a scanner for testing common web application attacks, such as SQL injection and cross-site scripting.  
Cyber Security Tools by SANS Instructors Advanced SANS This website includes links to an array of open-source tools built by cybersecurity instructors.
Windows Management Instrumentation Command-line Advanced Microsoft The WMI command-line (WMIC) utility provides a command-line interface for Windows Management Instrumentation (WMI). WMIC is compatible with existing shells and utility commands.
Let's Encrypt Advanced Open Source This tool provides a free digital certificate to enable HTTPS (SSL/TLS) for websites.
Hping Advanced Open Source This tool assembles and sends custom ICMP, UDP, or TCP packets and then displays any replies. It can be useful for performing security assessments.
Aircrack Advanced Open Source Aircrack is a suite of tools for testing the strength of passwords used for wireless networks.
Nikto Advanced Open Source Nikto is an open source (GPL) web server scanner that performs vulnerability scanning against web servers for multiple items, including dangerous files and programs. Nitko checks for outdated versions of web server software. It also checks for server configuration errors and any possible vulnerabilities they might have introduced.
w3af Advanced Open Source W3af is a flexible framework for finding and exploiting web application vulnerabilities, featuring dozens of web assessment and exploitation plugins.
VMware Fusion Player Advanced VMware This tool allows Mac users to run Windows, Linux, containers, Kubernetes, and more in virtual machines without rebooting.
Secureworks PhishInSuits Advanced Secureworks The PhishInSuits ( tool conducts security assessments and tests control frameworks against scenarios, such as BEC attacks. It combines this variation of illicit consent attacks with SMS-based phishing to emulate BEC campaigns and includes automated data-exfiltration capabilities.
Secureworks WhiskeySAML Advanced Secureworks The WhiskeySAML tool automates the remote extraction of an ADFS signing certificate. WhiskeySAML then uses this signing certificate to launch a Golden SAML attack and impersonate any user within the target organization.
Collabfiltrator Advanced Secureworks This tool is designed to exfiltrate blind remote code execution output over DNS via Burp Collaborator.
O365Spray Advanced Secureworks This tool is a username enumeration and password spraying tool aimed at Microsoft Office 365.
Tachyon Advanced Secureworks Tachyon is a rapid web application security reconnaissance tool. It is designed to crawl a web application and look for leftover or non-indexed files with the addition of reporting pages or scripts leaking internal data (a.k.a "blind" crawling). It is used from the command line and targeted at a specific domain. Tachyon uses an internal database to construct these blind queries swiftly.
Vane2 Advanced Secureworks Vane2 is a WordPress site vulnerability scanner. It is meant to be targeted at WordPress websites and identifies the corresponding WordPress version as well as its installed plugins in order to report known vulnerabilities on each.
Batea Advanced Secureworks Batea is a practical application of machine learning for pentesting and network reconnaissance. It consumes map reports and uses a context-driven network device ranking framework based on the anomaly detection family of machine learning algorithms. The goal of Batea is to allow security teams to automatically filter interesting network assets in large networks using nmap scan reports.
Checkov Advanced Palo Alto Networks This tool scans Infrastructure as Code (IaC), container images, open-source packages, and pipeline configuration for security errors. With hundreds of built-in policies, Checkov surfaces misconfigurations and vulnerabilities in code across developer tools (CLI, IDE) and workflows (CI/CD pipelines).
Palo Alto Networks Unit 42- Actionable Threat Objects and Mitigations (ATOMs) Advanced Palo Alto Networks ATOMs is a free repository of observed behaviors of several common threat adversaries, mapped to the MITRE ATT&CK framework. ATOMs can be filtered by targeted sector, region, or malware used for ease of information sharing and deployment of recommended security mitigations. ;
Google ClusterFuzz Advanced Google ClusterFuzz is a scalable fuzzing infrastructure that finds security and stability issues in software. It is also the fuzzing backend for Google OSS-Fuzz. ClusterFuzz Lite is simple CI-integrated fuzzing based on ClusterFuzz.
Brutespray Advanced Open Source Brutespray is a port scanning and automated brute-force python script that operates on a Kali Linux OS. The tool utilizes Nmap Scanner outputs to brute-force services with default credentials, which can be used to mitigate adversarial brute-force attacks if cracked default credentials are remediated. GitHub - x90skysn3k/brutespray

Take Steps to Quickly Detect a Potential Intrusion

Service Skill Level Owner Description Link
Blumira's Free SIEM Basic Blumira Blumira's Free SIEM provides detection and response coverage for up to 3 cloud integrations, including: M365, Duo, SentinelOne, Umbrella, Webroot, Mimecast. Free for unlimited users, Blumira's Free SIEM also provides two weeks of log data retention. Pricing | Blumira 
CodeSec Basic Contrast Security It can serve as a static analysis tool for Java and .Net. The offering can test and protect 3rd party open-source code moving through supply chain with continuous monitoring in production. The tool can also find code security, open-source security and permission issues. Developer Central | Contrast Security
Cascade (MITRE ATT&CK) Basic MITRE Built on MITRE-ATT&CK Framework: The prototype CASCADE server has the ability to handle user authentication, run analytics, and perform investigations. The server runs analytics against data stored in Splunk/ElasticSearch to generate alerts. Alerts trigger a recursive investigative process where several ensuing queries gather related events. GitHub - mitre/cascade-server: CASCADE Server
Atomic Red Team Basic Red Canary A library of tests mapped to the MITRE ATT&CK framework. Security teams can use Atomic Red Team to quickly, portably, and reproducibly test their environments. GitHub - redcanaryco/atomic-red-team: Small and highly portable detection tests based on MITRE's ATT&CK.
Red Team Automation (RTA) Basic Endgame A framework of scripts designed to allow blue teams to test their detection capabilities against malicious tradecraft, leveraged the MITRE ATT&CK framework. GitHub - endgameinc/RTA
Suricata Advanced Open Information Security Foundation (OISF) Suricata is an open-source network analysis and threat detection software utilized to protect users assets. Suricata uses deep packet inspection to perform signature-based detection, full network protocol, and flow record logging, file identification and extraction, and full packet capture on network traffic. Home - Suricata
WiFi Network Security Advanced Aircrack-ing This offering includes a suite of tools to assess WiFi network security including: monitoring, attacking, testing, and cracking. All tools are command line, which allows for heavy scripting. The service must be downloaded from browser.
Zed Attack Proxy (ZAP) Advanced OWASP This integrated penetration testing tool is used for finding vulnerabilities in web applications. It is designed for users with a wide range of security experience. OWASP ZAP (
Network Mapper  Basic NMAP This offering is a utility for network discovery and security auditing. Nmap uses raw IP packets to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, and what type of packet filters/firewalls are in use. Nmap: the Network Mapper - Free Security Scanner
Cyber Readiness Check (CRCs) Basic Project Spectrum A system that requires organizations to make an account to access the free service. This tool helps organizations determine current level of security. Project Spectrum
Perception Point Basic Perception Point Perception Point’s Free Email Security Plan, protects organizations from any threat entering organization via email and other collaboration channels. The plug-n-play deployment does not require a change to existing infrastructure. Once implemented, users can see, within minutes, how Perception Point’s free advanced email security catches threats. Free Email Security Plan - Perception Point (
Semperis Purple Knight Basic Semperis Purple Knight queries an organization's Active Directory environment and performs a comprehensive set of tests against the most common and effective attack vectors to uncover risky configurations and security vulnerabilities. Users receive prioritized, corrective guidance including mapping of indicators of exposure to the MITRE ATT&CK framework to close gaps before they get exploited by attackers. Purple Knight | Evaluate the security of your Active Directory. (
Microsoft Defender Antivirus Basic Microsoft This tool protects and detects endpoint threats, including file-based and fileless malware. Built into Windows 10 and 11 and in versions of Windows Server.
Microsoft Safety Scanner Basic Microsoft Microsoft Safety Scanner is a scan tool designed to find and remove malware from Windows computers. It can run scans to find malware and try to reverse changes made by identified threats.
Windows Malicious Software Removal tool Basic Microsoft This tool is released by Microsoft on a monthly cadence as part of Windows Update or as a standalone tool. It can be used to find and remove specific prevalent threats and reverse the changes they have made.
MSTICpy Basic Microsoft MSTICPy is a SIEM-agnostic package of Python tools for security analysts to assist in investigations and threat hunting. It is primarily designed for use in Jupyter notebooks.
Google Safe Browsing Basic Google This service identifies known phishing and malware across the web and helps notify users and website owners of potential harm. It is integrated into many major products and provides tools to webmasters.
Coalition Control Scanning Basic Coalition Control Coalition Control is your account home and includes free attack surface scanning and ongoing monitoring of your organization from the outside in. When vulnerabilities are identified, the tool will show where they are and how to fix them. Upgraded scanning requires users to be a Coalition insturance policyholder. Coalition Control (
Security Onion Basic Open Source Security Onion is a free and open Linux distribution for threat hunting, enterprise security monitoring, and log management. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise. Security Onion includes Elasticsearch, Logstash, Kibana, Suricata, Zeek (formerly known as Bro), Wazuh, Stenographer, CyberChef, NetworkMiner, and many other security tools. Security Onion Solutions
Syft Advanced Anchore The first is Syft, a CLI tool and Go library for generating a Software Bill of Materials (SBOM) from container images and filesystems.  It also supports CycloneDX/SPDX and JSON format. Syft can be installed and run directly on the developer machine to generate SBOM's against software being developed locally or can be pointed at a filesystem. 
Grype Advanced Anchore Grype which is an open source vulnerability scanner  for container images and filesystems that can be used to find zero day vulnerabilities such as log4j.
Hedgehog Advanced Malcolm Hedgehog Linux is a Debian-based operating system built to monitor network interfaces, capture packets to PCAP files, detect file transfers in network traffic and extract and scan those files for threat, and generate and forward to Zeek logs.
Malcolm Advanced CISA Malcolm is a powerful, easily deployable network traffic analysis tool suite for full packet capture artifacts (PCAP files) and Zeek logs.
ICS Network Protocol Parsers Advanced CISA The industrial control systems network protocol parsers (ICSNPP) project, only compatible with Zeek, is an ongoing effort to provide open-source tools to enable asset owners, operators, and OT security teams to achieve greater operational network and process level visibility.
Lumu Free Advanced Lumu Technologies Lumu Free offers continuous monitoring across the network by leveraging multiple sources of metadata (DNS, proxy, firewall). Organizations can uncover contact with malicious infrastructure, enabling threat mitigation and attack prevention. Malicious incidents can be labeled to ensure prioritization according to an organization's risk tolerance. Lumu
Mandiant Red Team and Investigative Tools Advanced Mandiant These tools are designed to confirm and investigate suspected security compromises.
Splunk Connect for Syslog Advanced Splunk This tool is used for getting syslog-based data into Splunk, including functions for data filtering and parsing.
Enterprise Log Search and Archive (ELSA) Advanced Open source Enterprise Log Search and Archive (ELSA) is a three-tier log receiver, archiver, indexer, and web front end for incoming syslog.
Mandiant Azure AD Investigator Advanced Mandiant This repository contains a PowerShell module for detecting artifacts that may be indicators of UNC2452 and other threat actor activity. Some indicators are "high-fidelity" indicators of compromise; other artifacts are so-called "dual-use" artifacts. Dual-use artifacts may be related to threat actor activity, but also may be related to legitimate functionality.
VirusTotal Advanced Google VirusTotal inspects items with over 70 antivirus scanners and URL/domain blocklisting services, in addition to a variety of tools, to extract signals from the studied content. Users can select a file from a computer via the browser and send it to VirusTotal. Submissions may be scripted in any programming language using the HTTP-based public API.
Netfilter Advanced Open Source Netfilter is a packet filter implemented in the standard Linux kernel. The user space iptables tool is used for configuration. It supports packet filtering (stateless or stateful), many kinds of network address and port translation (NAT/NAPT), and multiple API layers for third-party extensions. It includes many different modules for handling unruly protocols, such as FTP.
Wireshark Advanced Open Source Wireshark is an open-source multi-platform network protocol analyzer that allows users to examine data from a live network or from a capture file on disk. The tool can interactively browse capture data, delving down into just the level of packet detail needed. Wireshark has multiple features, including a rich display filter language and the ability to view the reconstructed stream of a TCP session. It also supports hundreds of protocols and media types.
Ettercap Advanced Open Source Ettercap is a suite for adversary-in-the-middle attacks on LAN that includes sniffing of live connections, content filtering on the fly, and many other features. It supports active and passive dissection of many protocols (including ciphered protocols) and includes many features for network and host analysis.
Kismet Advanced Open Source Kismet is a console (ncurses)-based 802.11 layer-2 wireless network detector, sniffer, and intrusion detection system. It identifies networks by passively sniffing and can decloak hidden (non-beaconing) networks if they are in use. It can automatically detect network IP blocks by sniffing TCP, UDP, ARP, and DHCP packets, log traffic in Wireshark/tcpdump compatible format, and even plot detected networks and estimated ranges on downloaded maps.
Snort Advanced Cisco This network intrusion detection and prevention system conducts traffic analysis and packet logging on IP networks. Through protocol analysis, content searching, and various pre-processors, Snort detects thousands of worms, vulnerability exploit attempts, port scans, and other suspicious behavior. Snort uses a flexible rule-based language to describe traffic that it should collect or pass, and a modular detection engine. The related free Basic Analysis and Security Engine (BASE) is a web interface for analyzing Snort alerts.
sqlmap Advanced Open Source sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of back-end database servers. It comes with a broad range of features, from database fingerprinting to fetching data from the DB and accessing the underlying file system and executing OS commands via out-of-band connections.
RITA Advanced Open Source Real Intelligence Threat Analytics (R-I-T-A) is an open-source framework for detecting command and control communication through network traffic analysis. The RITA framework ingests Zeek logs or PCAPs converted to Zeek logs for analysis.
Secureworks Dalton Advanced Secureworks Dalton is a system that allows a user to run network packet captures against a network sensor of their choice using defined rulesets and/or bespoke rules. Dalton covers Snort/Suricata/Zeek analysis in one system.
Elastic SIEM Advanced Elastic Tool is an application that provides security teams with visibility, threat hunting, automated detection, and Security Operations Center (SOC) workflows. Elastic SIEM is included in the default distribution of the most successful logging platform, Elastic (ELK) Stack software. It ships with out-of-the-box detection rules aligned with the MITRE ATT&CK framework to surface threats often missed by other tools. Created, maintained, and kept up-to-date by the security experts at Elastic, these rules automatically detect and address the latest threat activity. Severity and risk scores associated with signals generated by the detection rules enable analysts to rapidly triage issues and turn their attention to the highest-risk work. Elastic SIEM: free and open for security analysts everywhere | Elastic Blog

Ensure That The Organization is Prepared to Respond if an Intrusion Occurs

Service Skill Level Owner Description Link
Caldera (MITRE ATT&CK) Basic MITRE Built on MITRE-ATT&CK Framework: A cyber security platform designed to easily automate adversary emulation, assist manual red-teams, and automate incident response. GitHub - mitre/caldera: Automated Adversary Emulation Platform
OpenSSH Suite Basic Open BSD Project This connectivity tool is used for remote login with the SSH protocol. It encrypts all traffic to eliminate eavesdropping, connection hijacking, and other attacks. OpenSSH also provides suite of secure tunneling capabilities, several authentication methods, and configuration options. OpenSSH
Metaspolit Framework Basic Rapid7 This computer security project provides information about security vulnerabilities and aids in penetration testing and IDS signature development. Metasploit | Penetration Testing Software, Pen Testing Security | Metasploit
GRR Rapid Response Basic Google GRR Rapid Response is an incident response framework focused on remote live forensics. The goal of GRR is to support forensics and investigations in a fast, scalable manner to allow analysts to quickly triage attacks and perform analysis remotely.
PacketBasics Basic ExtraHop Designed to integrate with AWS environments, this PCAP tool is a subset of the Reveal(x) NDR platform. PacketsBasics might help some organizations develop a more comprehensive approach to tackling M-21-31 and EO-14028 modernization requirements.  Introducing ExtraHop Packet Basics
Microsoft PsExec Advanced Microsoft PsExec is a lightweight telnet replacement that lets users execute processes on other systems (complete with full interactivity for console applications) without having to manually install client software. PsExec's uses include launching interactive command-prompts on remote systems and remote-enabling tools such as IpConfig that otherwise do not have the ability to show information about remote systems.
VMware Workstation Player Advanced VMware This tool runs a single virtual machine on a Windows or Linux PC. It can be used when setting up an environment to analyze malware.
VMware ESXi - Free Advanced VMware This tool can be used when setting up an environment to analyze malware. It is a bare-metal hypervisor that installs directly onto a physical server, providing direct access to, and control of, underlying resources. It can be used to effectively partition hardware to consolidate applications.
dfTimewolf Advanced Google dfTimewolf is an open-source framework for orchestrating forensic collection, processing, and data export.
Turbinia Advanced Google Turbinia is an open-source framework for deploying, managing, and running distributed forensic workloads.
Timesketch Advanced Open Source Timesketch is an open-source tool for collaborative forensic timeline analysis. Using sketches, users and their collaborators can easily organize timelines and analyze them all at the same time.
Velociraptor Advanced Rapid7 Velociraptor allows incident response teams to rapidly collect and examine artifacts from across a network, and deliver forensic detail following a security incident. In the event of an incident, an investigator controls the Velociraptor agents to hunt for malicious activity, run targeted collections, perform file analysis, or pull large data samples. The Velociraptor Query Language (VQL) allows investigators to develop custom hunts to meet specific investigation needs with the ability to adapti queries quickly in response to shifting threats and new information gained through the investigation. GitHub - Velocidex/velociraptor: Digging Deeper....

Maximize the Organization's Resilience to a Destructive Cyber Incident

Service Skill Level Owner Description Link
Metta Basic Uber-Common Leverages the MITRE-ATT&CK Framework: An information security preparedness tool. This project uses Redis/Celery, Python, and vagrant with VirtualBox to do adversarial simulation. GitHub - uber-common/metta: An information security preparedness tool to do adversarial simulation.
Sandbox Scryer Basic Hybrid-Analysis Leverages the MITRE-ATT&CK Framework: An open-source tool for producing threat hunting and intelligence data from public sandbox detonation output. The tool can organize and prioritize findings, assisting in assembling IOCs, understanding attack movement and hunting threats. GitHub - PayloadSecurity/Sandbox_Scryer
Forest Druid Basic Semperis An attack path discovery tool that helps cybersecurity defensive teams prioritize high-risk misconfigurations that could represent opportunities for attackers to gain privileged domain access. Forest Druid - Focus on your Tier 0 perimeter (
John the Ripper Password Cracker Basic OpenWall This offering is a password security auditing and password recovery tool available for many operating systems. John the Ripper jumbo supports hundreds of hash and cipher types, including for: user passwords of Unix flavors, macOS, Windows, groupware, and database servers; network traffic captures; encrypted private keys, filesystems and disks, archives, and document files. John the Ripper password cracker (
Trusona 2-Step Verification with TOTP Basic  Trusona This free mobile app can be used with any 3rd party service that offers 2-step verification with a 6-digit TOTP code. App users will need to input its their username and password for the 3rd party service they would like to access. Trusona 2-Step Verification with TOTP | Trusona Docs
Microsoft Security Compliance Toolkit 1.0 Basic Microsoft This toolset allows enterprise security administrators to download, analyze, test, edit and store Microsoft-recommended security configuration baselines for Windows and other Microsoft products, while comparing them against other security configurations.  Download Microsoft Security Compliance Toolkit 1.0 from Official Microsoft Download Center
Authentication Tool Advanced Trusona A passwordless authentication for WordPress admins that enhances security & usability. Trusona for WordPress – WordPress plugin |
HYPR Zero Advanced HYPR True Passwordless(™) MFA platform HYPR Zero is designed for smaller organizations and delivers passwordless multi-factor authentication. True Passwordless MFA for Small Business Pricing | HYPR
Windows Auto-Backup Basic Microsoft This tool sets up automatic backups of Windows 10 and 11 operating systems.
Google Backup & Sync Basic Google This tool backs up files on Windows or Mac computers. Note: it does not allow users to restore their system; it only saves copies of files.
Microsoft Threat Modeling Tool Advanced Microsoft This tool is designed to make threat modeling easier for developers through a standard notation for visualizing system components, data flows, and security boundaries.
Microsoft SecCon Framework Advanced Microsoft This framework is designed to help prioritize endpoint hardening recommendations.