Open-source alternatives to Ossec Hids

DetectIQ is an AI-powered security rule management platform that helps create, analyze, and optimize detection rules across multiple security platforms. It can be used with the provided UI, or just with Python scripts using the self contained detectiq/core module. See examples in the examples…

DFIR LABS is a compilation of challenges that aims to provide practice in simple to advanced concepts in the following topics: Digital Forensics, Incident Response, Malware Analysis and Threat Hunting.

OpenWEC is a free and open source (GPLv3) implementation of a Windows Event Collector server running on GNU/Linux and written in Rust.

Fast Incident Response

IR drill plateform

Lynis is an automated security auditing and system hardening framework designed for UNIX-based operating systems. It functions as a command-line utility that inspects local system configurations to identify security vulnerabilities, configuration weaknesses, and compliance gaps. By executing a series of modular tests, the tool generates actionable reports and remediation suggestions to assist in strengthening system defenses. The project distinguishes itself through a highly modular architecture that relies on shell-script-based execution and native system inspection. Users can define custom

.. SPDX-FileCopyrightText: 2014 Upi Tamminen .. SPDX-FileCopyrightText: 2014-2025 Michel Oosterhof .. .. SPDX-License-Identifier: BSD-3-Clause

Cuckoo is an open-source automated malware analysis system that executes suspicious files inside isolated virtual machines and produces structured behavioral reports. The platform captures system calls, file operations, and network activity during execution, compiling them into comprehensive analysis documents for programmatic consumption. The system operates through a modular analysis pipeline that processes behavioral data, applying YARA signature patterns against captured artifacts to identify known malware families. Each analysis run starts from a clean virtual machine snapshot to ensure

AntiVirus REDucer for AntiVirus REDteaming.

GoCheck a blazingly fast™ alternative to Matterpreter's DefenderCheck which identifies the exact bytes that Windows Defender AV by feeding byte slices to MpCmdRun.exe

Ecapture is a suite of specialized auditing tools designed to capture plaintext database queries, log executed shell commands, forward packet captures, and decrypt TLS traffic. The system extracts plaintext content from encrypted communications and TLS master secrets without requiring CA certificates. It further monitors data interactions by capturing SQL queries from database instances and recording commands from shell environments for host-level auditing. The toolset includes capabilities for network traffic analysis, exporting captured data to pcapng files, and forwarding events to extern

Harden-Windows-Security is a security hardening tool and framework designed to reduce the attack surface of the Windows operating system through policy enforcement. It provides a collection of security presets and templates to implement official hardening standards across multiple devices. The project distinguishes itself through a comprehensive execution control system, featuring a manager for Windows Application Control and a kernel protection suite. It implements strict trust models, including kernel-mode driver whitelisting, signed policy implementation on the EFI partition, and code inte

AzureGoat : A Damn Vulnerable Azure Infrastructure

JonMon is a research project I started to help me learn how to code and understand telemetry mechanisms. It is a collection of open-source telemetry sensors designed to provide users with visibility into the operations and activity of their Windows systems. JonMon has a kernel-level driver…

Malware Configuration And Payload Extraction

)](https://github.com/kunai-project/kunai/releases) -->

This application detects active instances of Responder by taking advantage of the fact that Responder will respond to any DNS query. Respotter uses LLMNR, mDNS, and NBNS protocols to search for a bogus hostname that does not exist (default: Loremipsumdolorsitamet). If any of the requests get a…

VirusTotal Wanna Be - Now with 100% more Hipster

FakeNet-NG - Next Generation Dynamic Network Analysis Tool

Flare-VM is a Windows malware analysis environment consisting of installation scripts that automate the provisioning of a virtual machine. It provides a comprehensive suite of reverse engineering tools, including decompilers and debuggers, along with the necessary system configurations and environment variables for security research. The project functions as a virtual machine image orchestrator, allowing for the automated creation, management, and export of specialized analysis appliances. It features configuration-driven tool selection and the ability to extend installation logic through cus

Sysmon for Linux is a tool that monitors and logs system activity including process lifetime, network connections, file system writes, and more. Sysmon works across reboots and uses advanced filtering to help identify malicious activity as well as how intruders and malware operate on your…

MISP is an open-source threat intelligence sharing platform designed for collecting, storing, and distributing structured threat indicators and intelligence. At its core, it provides a distributed synchronization protocol for transferring events between instances, an attribute-based correlation engine that links matching indicators across events, and a REST API with an OpenAPI specification for programmatic access to threat data. The platform uses formal data formats for JSON, taxonomy, galaxy, and object templates to enable compatibility across tools and communities. The platform distinguish

BadZure automates the deployment of intentionally misconfigured Entra ID tenants and Azure subscriptions, populating them with diverse entities and configurable, traversable attack paths.

Open Adversarial Exposure Validation Platform

OpenCTI is a cyber threat intelligence platform and knowledge base used to store, manage, and analyze technical security data. It functions as a threat intelligence visualization tool and an enterprise security data orchestrator that maps relationships between threat actors, malware, and vulnerabilities. The platform utilizes the STIX and TAXII standards for data representation and exchange, allowing for the sharing and receiving of standardized intelligence bundles. It distinguishes itself by converting complex security information into visual relationship diagrams and geographic maps to ide