30 open-source projects similar to crowdsecurity/crowdsec, ranked by how many features they have in common. Compare stars, activity and what each one does to find the best Crowdsec alternative.
Falco is an eBPF runtime security monitor and cloud native detection engine that identifies abnormal behavior and security threats across hosts and containers. It functions as a Linux kernel event auditor, capturing system calls and kernel events in real-time to detect malicious activity. The system distinguishes itself through a rule-based threat detection model that evaluates system activity against a library of community-maintained rules and custom security definitions. It enriches raw kernel events with container and Kubernetes metadata to provide observability into isolated environments
Bunkerized Nginx is a containerized security automation system that provides a secure reverse proxy and web application firewall. It focuses on protecting web applications by monitoring container labels within cloud-native orchestration systems to automatically update security settings and firewall rules. The system distinguishes itself through automated security operations, including the automatic management of SSL certificates and an automated client banning mechanism that blocks IP addresses based on HTTP status codes. It features bot challenge mechanisms using CAPTCHAs, JavaScript, or coo
SafeLine is a containerized web application firewall and reverse proxy designed to secure web services by inspecting incoming HTTP traffic. It acts as a security gateway that sits in front of backend infrastructure to filter malicious requests and enforce access policies before they reach the application server. The platform distinguishes itself through advanced bot mitigation and content protection capabilities. It employs challenge-response mechanisms to verify human users and dynamically obfuscates HTML and JavaScript content to prevent unauthorized scraping and code tampering. These featu
This project is a community-curated directory of open-source software designed for deployment in private server environments and home labs. It serves as a comprehensive resource for discovering independent, self-hosted alternatives to mainstream cloud services, enabling users to maintain full data ownership and control over their digital infrastructure. The directory is structured through a hierarchical taxonomy that organizes a vast collection of applications into logical categories, ranging from media management and data analytics to private communication and team productivity tools. It dis
TheHive is a security incident response platform and multi-tenant case management system. It functions as a Security Orchestration, Automation, and Response (SOAR) tool and a threat intelligence platform designed to coordinate security investigations by managing alerts, cases, and observables. The platform is distinguished by its multi-tenant architecture, which isolates data across different organizations while supporting selective cross-tenant sharing. It features a SOAR automation engine capable of executing sandboxed JavaScript logic to automate workflows and trigger response actions thro
The AWS Cloud Development Kit is an infrastructure-as-code framework that enables developers to define and provision cloud resources using familiar programming languages. By utilizing construct-based synthesis, it translates high-level, object-oriented code into declarative templates, allowing for the automated management of complex cloud environments through a centralized, code-driven control plane. The framework distinguishes itself through its ability to model infrastructure as a dependency-aware resource graph, ensuring that components are provisioned and updated in the correct order. It
Fail2ban is an intrusion prevention system that monitors system log files to detect malicious activity and automatically enforce security policies. By parsing log data in real time, the tool identifies patterns of unauthorized access or repeated authentication failures and responds by dynamically updating network access control lists to restrict offending sources. The software functions as a firewall automation tool that maintains stateful tracking of suspicious behavior across various network services. It utilizes a regex-driven pattern matching engine to identify specific attack signatures,
Opensnitch is a host-based application firewall for Linux that monitors and intercepts outbound network connections in real time. By hooking into kernel-level interfaces, it tracks system-wide network activity and maps connection attempts to specific local processes, allowing users to explicitly permit or deny traffic on a per-application basis. The project distinguishes itself through its ability to manage security policies across multiple distributed nodes from a single, unified dashboard. This centralized management is secured via encrypted socket communication, enabling consistent rule en
Suricata is an open-source network intrusion detection and prevention engine that analyzes live network traffic in real-time to identify and alert on malicious activity. It operates as a rule-based threat detection system, matching traffic against user-defined signatures to detect known attack patterns and policy violations, and can be placed inline to actively block malicious packets before they reach their target. The engine inspects a wide range of application-layer protocols including HTTP, DNS, TLS, SMB, and MQTT, and supports high-performance packet capture through specialized hardware a
MISP is an open-source threat intelligence sharing platform designed for collecting, storing, and distributing structured threat indicators and intelligence. At its core, it provides a distributed synchronization protocol for transferring events between instances, an attribute-based correlation engine that links matching indicators across events, and a REST API with an OpenAPI specification for programmatic access to threat data. The platform uses formal data formats for JSON, taxonomy, galaxy, and object templates to enable compatibility across tools and communities. The platform distinguish
BunkerWeb is a containerized suite of infrastructure tools that functions as a cloud-native web application firewall and Nginx reverse proxy. It provides a security layer for web applications, combining traffic routing with automated SSL certificate management and a web-based security dashboard for monitoring and configuration. The project distinguishes itself through its deep integration with container orchestrators, serving as a Kubernetes ingress controller that automates security settings and service discovery via container labels. It features a plugin-based extension model and a manageme
Harden-Windows-Security is a security hardening tool and framework designed to reduce the attack surface of the Windows operating system through policy enforcement. It provides a collection of security presets and templates to implement official hardening standards across multiple devices. The project distinguishes itself through a comprehensive execution control system, featuring a manager for Windows Application Control and a kernel protection suite. It implements strict trust models, including kernel-mode driver whitelisting, signed policy implementation on the EFI partition, and code inte
LOLBAS is a curated database and knowledge base of signed Windows binaries that can be misused to bypass security restrictions and execute unauthorized code. It serves as a technical registry that maps trusted system files to their functional capabilities and the offensive tactics they enable. The project distinguishes itself by providing a capability-driven indexing system and a tactics registry that relates legitimate binary functionality to known security evasion techniques. It includes an association layer that links specific system binaries to attack patterns and tactical objectives, pro
Security-101 is a vendor-agnostic, foundational cybersecurity learning curriculum organized into modular, framework-aligned modules. It is designed to build core knowledge across multiple security domains without tying content to specific products or platforms, making it suitable for both beginners and professionals seeking a structured introduction to the field. The curriculum is built around established security frameworks, including the MITRE ATT&CK framework for standardized threat analysis and the NIST Cybersecurity Framework for incident response workflows. It covers a broad range of do
Pangolin is a zero-trust remote access platform designed to provide secure, identity-aware connectivity to private network resources. It functions as a cloud-native network controller that orchestrates encrypted tunnels, traffic routing, and access policies across distributed environments. By leveraging WireGuard for secure data transport, the platform enables authenticated access to internal web applications, terminal sessions, and remote desktops without exposing services to the public internet. The platform distinguishes itself through a declarative infrastructure model that synchronizes n
Nuclei-templates is a security automation framework and vulnerability scanning library designed for the continuous assessment of distributed infrastructure. It functions as a collection of structured configuration files that define how to identify security flaws and misconfigurations across web applications and network services. The project utilizes a declarative domain-specific language to decouple detection logic from the underlying execution engine. This approach allows for the creation of modular, protocol-agnostic scanning rules that can be updated independently of the core software. By
Octelium is a zero-trust network access platform and identity-aware proxy designed to secure private HTTP, SSH, and SQL resources. It functions as a secure gateway that validates human and workload identities using OIDC, SAML, and FIDO2 passkeys before granting access to internal applications and SaaS APIs. The system is distinguished by its secretless access broker, which injects credentials—such as API keys, passwords, and AWS Sigv4 signatures—at the gateway level so users can access databases and cloud resources without managing secrets. It further specializes in AI gateway administration,
This project is a comprehensive security hardening and privacy management guide for macOS. It provides a set of instructions and checklists for reducing the system attack surface through manual configuration, policy enforcement, and a layered defense strategy. The guide emphasizes a system auditing framework, using binary analysis, system logs, and packet inspection to verify that security controls and application sandboxing are functioning as intended. It offers tool-agnostic recommendations, defining security goals while allowing users to select their own third-party software for implementa
Evilginx2 is a man-in-the-middle phishing framework designed to proxy authentication traffic between a user and a target web service. By acting as a reverse proxy, the tool intercepts and relays web requests to capture credentials and session tokens in real time, enabling the bypass of multi-factor authentication mechanisms through session cookie hijacking. The platform distinguishes itself by integrating infrastructure orchestration with modular template-driven content injection. It automates the deployment of proxy servers, manages the lifecycle of encryption certificates, and applies conte
This project is a comprehensive educational resource and curriculum focused on site reliability engineering, distributed systems, and infrastructure operations. It provides technical guides, a systems engineering course, and instructional manuals designed to teach the principles of managing large-scale computing environments. The curriculum covers high-level architectural design for scalability and resilience, including fault-tolerant infrastructure, high-availability patterns, and microservices decomposition. It emphasizes the practical application of site reliability engineering through the
Excelize is a library for reading and writing spreadsheet files in the Office Open XML format. It provides a comprehensive suite of tools for programmatically creating, modifying, and analyzing workbooks, worksheets, and cell data, ensuring compatibility across various office software suites through structured XML serialization. The library distinguishes itself with a built-in formula calculation engine that evaluates complex mathematical and logical expressions directly against workbook data. It also features a memory-mapped streaming architecture, which allows for the efficient processing o
OpenCTI is a cyber threat intelligence platform and knowledge base used to store, manage, and analyze technical security data. It functions as a threat intelligence visualization tool and an enterprise security data orchestrator that maps relationships between threat actors, malware, and vulnerabilities. The platform utilizes the STIX and TAXII standards for data representation and exchange, allowing for the sharing and receiving of standardized intelligence bundles. It distinguishes itself by converting complex security information into visual relationship diagrams and geographic maps to ide
This project is a collection of configuration files and scripts serving as a bot blocker and security middleware for Nginx. It functions as an automated blocklist manager that filters malicious user-agents and IP addresses to mitigate vulnerability scanning, login brute-forcing, and DDoS attacks. The system distinguishes itself by automating the maintenance of security rules, downloading updated bot definitions and reloading the server on a schedule. It also includes a search engine spam filter capable of generating robots.txt files and link disavow lists to prevent malicious domains from imp
This repository is a technical documentation site and a collection of guides and references for implementing networking, security, and cloud infrastructure services. It functions as a static-site generated portal and a headless content platform, separating source files from the presentation layer to enable flexible rendering. The project utilizes markdown-based documentation stored in a version-controlled Git repository. It provides specialized technical content including an AI platform documentation for building agents and managing inference, a cloud infrastructure guide for DNS and CDN conf
ClamAV is an open-source antivirus engine and malware detection scanner. It identifies trojans, viruses, and other malicious software by scanning files and data streams against a database of known signatures. The system functions as a signature-based threat detector, allowing for the implementation of threat intelligence by turning malware samples into actionable signatures. It supports the creation of custom malware signatures to identify specific or specialized security threats. The engine provides capabilities for endpoint security monitoring and comprehensive malware detection scanning a
Tracee is a cloud-native runtime security and forensics tool that uses eBPF to capture system calls and kernel events in real time. It operates as a standalone binary or a Helm-deployable agent for Kubernetes, normalizing system calls, network events, and container activities into a unified event pipeline for consistent analysis. The tool distinguishes itself through policy-driven event filtering using YAML-based rules, allowing users to target specific workloads and reduce noise during monitoring. It includes built-in threat detection signatures that flag suspicious behavioral patterns witho
gstack is an AI agent framework and development workflow system designed to automate the software development lifecycle. It coordinates specialized AI personas to manage tasks across product design, engineering management, and quality assurance, transforming product intent into technical specifications and final releases. The project is distinguished by its deep integration of headless browser automation and semantic code memory. It utilizes a persistent Chromium daemon for web scraping and visual auditing, and implements a searchable knowledge base that logs architectural decisions and repos
Sigma is a generic SIEM signature format and log event pattern standard used to describe malicious activity. It provides a vendor-neutral system for defining security event patterns in YAML, ensuring that detection logic remains portable across different monitoring platforms. The project maintains a curated library of peer-reviewed detection rules that identify threats and compliance violations. This standardized approach allows for the exchange of threat hunting logic and the translation of generic signatures into specific queries for various security information and event management systems
Proxyman is a cross-platform HTTP debugging proxy that captures, inspects, and modifies HTTP, HTTPS, and WebSocket traffic. It functions as a man-in-the-middle proxy, decrypting SSL/TLS traffic to allow real-time inspection and modification of encrypted requests and responses. The tool is designed for debugging web and mobile applications, with capabilities for API mocking and simulation, scriptable traffic modification, and team collaboration on network logs. What distinguishes Proxyman is its deep integration with mobile and cross-platform development workflows. It provides automated certif