16 Repos
Modular systems for identifying sensitive data using configurable patterns and validation logic.
Distinguishing note: Focuses on extensible detection logic for secrets rather than general-purpose regex engines.
Explore 16 awesome GitHub repositories matching security & cryptography · Detection Engines. Refine with filters or upvote what's useful.
Trufflehog is a security tool designed to continuously monitor code repositories and cloud environments to detect, verify, and remediate exposed sensitive credentials and API keys. It functions as a comprehensive secret scanning engine that integrates directly into deployment pipelines and version control systems to intercept sensitive data before it is committed or pushed. By utilizing read-only operations and volatile memory processing, the system ensures that discovered credentials are never stored persistently, maintaining strict data privacy throughout the scanning lifecycle. The platfor
Provides modular detection logic allowing users to define custom patterns and validation endpoints for identifying sensitive data.
SafeLine is a containerized web application firewall and reverse proxy designed to secure web services by inspecting incoming HTTP traffic. It acts as a security gateway that sits in front of backend infrastructure to filter malicious requests and enforce access policies before they reach the application server. The platform distinguishes itself through advanced bot mitigation and content protection capabilities. It employs challenge-response mechanisms to verify human users and dynamically obfuscates HTML and JavaScript content to prevent unauthorized scraping and code tampering. These featu
Analyzes incoming request patterns against known attack vectors to identify and block malicious payloads.
CrowdSec is a collaborative, distributed security engine designed for threat detection and infrastructure protection. It functions as an intrusion detection system that parses logs and network traffic to identify malicious patterns, utilizing a bucket-based threshold detection model to aggregate events and trigger alerts. The platform is built on a modular architecture that includes a centralized local API server for managing security signals and a relational database for persistent storage of remediation decisions. What distinguishes the project is its decoupled enforcement model, which offl
Uninstalls specific security detection patterns to stop monitoring for particular malicious activities.
Kubescape is a Kubernetes security posture management platform designed to scan clusters, manifests, and images for misconfigurations, vulnerabilities, and compliance risks. It functions as a comprehensive security suite incorporating a compliance scanner, a container image vulnerability scanner, an admission controller for policy enforcement, and a runtime security monitor. The platform distinguishes itself through runtime-aware vulnerability filtering, which maps libraries loaded in memory to determine if vulnerabilities are actually reachable. It also integrates with AI assistants via a Mo
Detects behavioral anomalies and active threats within a cluster using system probes and signature-based rules.
Falco is an eBPF runtime security monitor and cloud native detection engine that identifies abnormal behavior and security threats across hosts and containers. It functions as a Linux kernel event auditor, capturing system calls and kernel events in real-time to detect malicious activity. The system distinguishes itself through a rule-based threat detection model that evaluates system activity against a library of community-maintained rules and custom security definitions. It enriches raw kernel events with container and Kubernetes metadata to provide observability into isolated environments
Functions as a cloud-native detection engine that evaluates system activity against a library of rules to identify threats.
The CNCF Curriculum is an open-source repository that organizes exam domains and learning paths for CNCF certification courses covering Kubernetes and cloud-native technologies. It structures certification content into weighted domains that reflect exam question distribution, providing a structured study guide for candidates preparing for CNCF certifications. The curriculum is organized around multiple cloud-native domains including networking, security, GitOps, platform engineering, and certification preparation. It teaches cloud-native concepts through the lens of building and operating int
Teaches collecting and analyzing runtime data to detect and respond to security incidents in containers.
Dieses Projekt bietet strategische Roadmaps und Leitfäden, die die Entwicklung und Bereitstellungsmuster von verwalteten Container-Orchestrierungs- und Sicherheitsdiensten detaillieren. Es dient als öffentliches Tracking-Dokument für kommende Funktionen und Entwicklungsprioritäten für EKS, ECS, ECR und Fargate. Die Ressource enthält einen Leitfaden zur Cloud-Container-Orchestrierung sowie eine Kubernetes- und ECS-Strategie, die die Entwicklung von verwaltetem Kubernetes und proprietären Orchestrierungsdiensten für Cloud-Infrastrukturen skizziert. Zudem bietet es einen Sicherheits- und Monitoring-Plan, der sich auf das Scannen bösartiger Aktivitäten und die Verfolgung der Workload-Gesundheit konzentriert. Das Material deckt ein breites Spektrum an Infrastrukturfunktionen ab, einschließlich Ressourcenbereitstellung, automatischer Skalierung von Compute und Tasks sowie Container-Image-Management. Es adressiert Netzwerk- und Traffic-Management durch Load-Balancing und Pod-Dichte-Optimierung sowie Observability durch Log-Routing und Performance-Tracking.
Provides planning for runtime threat detection systems that evaluate real-time container activity against security rules.
Dieses Projekt ist ein Sicherheits-Auditor für Mobilfunknetze und ein IMSI-Catcher-Detektor, der darauf ausgelegt ist, gefälschte Basisstationen und Überwachungshardware zu identifizieren, die versuchen, Mobilfunkverkehr abzufangen. Es fungiert als Analysetool für Funkschnittstellen und zur Kartierung von Mobilfunkmasten, wobei Verbindungen überwacht werden, um unbefugte Netzwerkinfrastruktur aufzuspüren. Das System zeichnet sich durch die Kombination von Echtzeit-Bedrohungsüberwachung mit der Fähigkeit aus, stille SMS und verdeckte Kommunikationsformen zu identifizieren, die zur Geräteortung verwendet werden. Es analysiert den Verschlüsselungsstatus, um erzwungene Netzwerk-Downgrades auf schwächere Standards zu erkennen, und verifiziert die Identität von Basisstationen durch Abgleich von Mastdaten mit öffentlichen Datenbanken. Das Tool deckt umfassende Funktionen im Bereich der Mobilfunk-Audits ab, einschließlich der Verfolgung von Signalanomalien, der Extraktion von Funk-Hardware-Daten und der Prävention von Remote-SIM-Angriffen oder unbefugten App-Installationen. Es bietet zudem eine Visualisierung der Mast-Konnektivität sowie einen Mechanismus, mit dem Benutzer eigene Erkennungs-Strings für die Überwachung verdächtiger Nachrichten definieren können. Die hardwarenahe Interaktion erfolgt durch die Ausführung von AT-Befehlen über ein Root-Terminal, um detaillierte Netzwerk-Telemetriedaten abzurufen.
Displays real-time threat levels based on base station behavior and encryption strength to alert users.
ThreatMapper is a cloud native application protection platform and infrastructure security scanner. It functions as a vulnerability management system and cloud workload telemetry collector designed to monitor workloads and detect security risks across cloud and container environments. The platform distinguishes itself through a network traffic visualizer that uses machine learning to classify communication patterns and a graph-based attack mapping system to identify high-risk paths between vulnerabilities and network dependencies. Its broader capabilities cover cloud infrastructure complianc
Identifies security threats in real-time across cloud, serverless, and container platforms.
Tracee is a cloud-native runtime security and forensics tool that uses eBPF to capture system calls and kernel events in real time. It operates as a standalone binary or a Helm-deployable agent for Kubernetes, normalizing system calls, network events, and container activities into a unified event pipeline for consistent analysis. The tool distinguishes itself through policy-driven event filtering using YAML-based rules, allowing users to target specific workloads and reduce noise during monitoring. It includes built-in threat detection signatures that flag suspicious behavioral patterns witho
Applies behavioral patterns and pre-defined signatures to identify suspicious activity across distributed workloads.
Harden-Windows-Security is a security hardening tool and framework designed to reduce the attack surface of the Windows operating system through policy enforcement. It provides a collection of security presets and templates to implement official hardening standards across multiple devices. The project distinguishes itself through a comprehensive execution control system, featuring a manager for Windows Application Control and a kernel protection suite. It implements strict trust models, including kernel-mode driver whitelisting, signed policy implementation on the EFI partition, and code inte
The product uses cloud-based AI and machine learning to identify and block new malware rapidly.
Loki is an endpoint detection tool, forensic artifact analyzer, and threat intelligence scanner. It functions as a YARA-based indicator of compromise scanner designed to identify malicious persistence mechanisms, web shells, and unauthorized administration tools across local and remote systems. The project distinguishes itself by integrating multi-source threat intelligence, allowing for the loading of custom signature sets and encrypted indicators. It combines hash-based artifact detection with YARA rule execution to scan files, process memory, and registry hives for known malicious byte seq
Functions as a scanner for identifying malicious persistence mechanisms and unauthorized tools across remote systems.
Velociraptor is a digital forensics and incident response platform, endpoint detection and response system, and visibility tool. It provides a query engine and remote forensic collector used to hunt for indicators of compromise and perform triage across a fleet of hosts. The system is distinguished by its specialized query language for interrogating host state and parsing binary files. It features a notebook environment that combines markdown documentation with executable query cells to standardize investigative workflows and enable collaborative reporting. The platform covers a wide range o
Analyzes real-time system activity, configuration, and process memory to detect runtime behavioral threats.
LogonTracer is a security auditing tool designed for logon analysis and forensic log auditing. It functions as a dockerized security auditor that utilizes a security event graph database to map account names and network addresses, allowing for the visualization of complex system compromise patterns and authentication paths. The system features a Sigma detection engine that scans imported event logs against standardized rule sets to identify known malicious activity. It also includes an anomalous behavior detector that applies statistical analysis, graph algorithms, and hidden Markov models to
Provides an AI-powered engine that assesses risk against known attack tactics to generate automated detection rules.
OpenEDR is an endpoint detection and response platform designed to collect telemetry and monitor system activity to identify security breaches. It functions as a host-based intrusion detection system and telemetry collector, gathering detailed data on process, network, and file activity. The system includes a dockerized security stack that bundles search, logging, and visualization tools into containers for analyzing endpoint telemetry. It features a security event visualizer that maps process lineage and indexes logs to facilitate root-cause analysis of attacks. The platform provides capabi
Provides a comprehensive endpoint detection and response platform for monitoring system activity and detecting security breaches.
This project is a detection-as-code framework providing a library of security monitoring rules and predefined detection content for Elasticsearch data indices. It serves as a threat detection rule library designed to identify malicious activity and attack patterns across diverse data streams in cloud and on-premises environments. The framework implements a detection engineering workflow where rules are defined in YAML and managed as versioned code. It includes a set of command-line utilities for automated rule deployment, metadata searching, and template generation, supported by a Python-base
Identifies malicious activity by correlating system events and monitoring runtime behavioral patterns.