Awesome Cybersecurity Blue Team

A collection of awesome resources, tools, and other shiny things for cybersecurity blue teams.

Cybersecurity blue teams are groups of individuals who identify security flaws in information technology systems, verify the effectiveness of security measures, and monitor the systems to ensure that implemented defensive measures remain effective in the future. While not exclusive, this list is heavily biased towards Free Software projects and against proprietary products or corporate services. For offensive TTPs, please see awesome-pentest.

Your contributions and suggestions are heartily ♥ welcome. (✿◕‿◕). Please check the Contributing Guidelines for more details. This work is licensed under a Creative Commons Attribution 4.0 International License.

Many cybersecurity professionals enable racist state violence, wittingly or unwittingly, by providing services to local, state, and federal policing agencies or otherwise cooperating with similar institutions who do so. This evil most often happens through the coercive mechanism of employment under threat of lack of access to food, shelter, or healthcare. Despite this list's public availability, it is the maintainer's intention and hope that this list supports the people and organizations who work to counter such massive albeit banal evil.

DEFUND THE POLICE.

Contents

• Automation and Convention
  • Code libraries and bindings
  • Security Orchestration, Automation, and Response (SOAR)
• Cloud platform security
  • Distributed monitoring
  • Kubernetes
  • Service meshes
• Communications security (COMSEC)
• DevSecOps
  • Application or Binary Hardening
  • Compliance testing and reporting
  • Dependency confusion
  • Fuzzing
  • Policy enforcement
  • Supply chain security
• Honeypots
  • Tarpits
• Host-based tools
  • Sandboxes
• Identity and AuthN/AuthZ
• Incident Response tools
  • IR management consoles
  • Evidence collection
• Network perimeter defenses
  • Firewall appliances or distributions
• Operating System distributions
• Phishing awareness and reporting
• Preparedness training and wargaming
  • Post-engagement analysis and reporting
• Security configurations
• Security monitoring
  • Endpoint Detection and Response (EDR)
  • Network Security Monitoring (NSM)
  • Security Information and Event Management (SIEM)
  • Service and performance monitoring
  • Threat hunting
• Threat intelligence
  • Fingerprinting
  • Threat signature packages and collections
• Tor Onion service defenses
• Transport-layer defenses
  • Overlay and Virtual Private Networks (VPNs)
• macOS-based defenses
• Windows-based defenses
  • Active Directory

Automation and Convention

• Ansible Lockdown - Curated collection of information security themed Ansible roles that are both vetted and actively maintained.
• Clevis - Plugable framework for automated decryption, often used as a Tang client.
• DShell - Extensible network forensic analysis framework written in Python that enables rapid development of plugins to support the dissection of network packet captures.
• Dev-Sec.io - Server hardening framework providing Ansible, Chef, and Puppet implementations of various baseline security configurations.
• Password Manager Resources - Collaborative, crowd-sourced data and code to make password management better.
• peepdf - Scriptable PDF file analyzer.
• PyREBox - Python-scriptable reverse engineering sandbox, based on QEMU.
• Watchtower - Container-based solution for automating Docker container base image updates, providing an unattended upgrade experience.

Code libraries and bindings

• MultiScanner - File analysis framework written in Python that assists in evaluating a set of files by automatically running a suite of tools against them and aggregating the output.
• Posh-VirusTotal - PowerShell interface to VirusTotal.com APIs.
• censys-python - Python wrapper to the Censys REST API.
• libcrafter - High level C++ network packet sniffing and crafting library.
• python-dshield - Pythonic interface to the Internet Storm Center/DShield API.
• python-sandboxapi - Minimal, consistent Python API for building integrations with malware sandboxes.
• python-stix2 - Python APIs for serializing and de-serializing Structured Threat Information eXpression (STIX) JSON content, plus higher-level APIs for common tasks.

Security Orchestration, Automation, and Response (SOAR)

See also Security Information and Event Management (SIEM), and IR management consoles.

• Shuffle - Graphical generalized workflow (automation) builder for IT professionals and blue teamers.

Cloud platform security

See also asecure.cloud/tools.

• Aaia - Helps in visualizing AWS IAM and Organizations in a graph format with help of Neo4j.
• Falco - Behavioral activity monitor designed to detect anomalous activity in containerized applications, hosts, and network packet flows by auditing the Linux kernel and enriched by runtime data such as Kubernetes metrics.
• Kata Containers - Secure container runtime with lightweight virtual machines that feel and perform like containers, but provide stronger workload isolation using hardware virtualization technology as a second layer of defense.
• Principal Mapper (PMapper) - Quickly evaluate IAM permissions in AWS via script and library capable of identifying risks in the configuration of AWS Identity and Access Management (IAM) for an AWS account or an AWS organization.
• Prowler - Tool based on AWS-CLI commands for Amazon Web Services account security assessment and hardening.
• Scout Suite - Open source multi-cloud security-auditing tool, which enables security posture assessment of cloud environments.
• gVisor - Application kernel, written in Go, that implements a substantial portion of the Linux system surface to provide an isolation boundary between the application and the host kernel.

Distributed monitoring

See also § Service and performance monitoring.

• Cortex - Provides horizontally scalable, highly available, multi-tenant, long term storage for Prometheus.
• Jaeger - Distributed tracing platform backend used for monitoring and troubleshooting microservices-based distributed systems.
• OpenTelemetry - Observability framework for cloud-native software, comprising a collection of tools, APIs, and SDKs for exporting application performance metrics to a tracing backend (formerly maintained by the OpenTracing and OpenCensus projects).
• Prometheus - Open-source systems monitoring and alerting toolkit originally built at SoundCloud.
• Zipkin - Distributed tracing system backend that helps gather timing data needed to troubleshoot latency problems in service architectures.

Kubernetes

See also Kubernetes-Security.info.

• KubeSec - Static analyzer of Kubernetes manifests that can be run locally, as a Kuberenetes admission controller, or as its own cloud service.
• Kyverno - Policy engine designed for Kubernetes.
• Linkerd - Ultra light Kubernetes-specific service mesh that adds observability, reliability, and security to Kubernetes applications without requiring any modification of the application itself.
• Managed Kubernetes Inspection Tool (MKIT) - Query and validate several common security-related configuration settings of managed Kubernetes cluster objects and the workloads/resources running inside the cluster.
• Polaris - Validates Kubernetes best practices by running tests against code commits, a Kubernetes admission request, or live resources already running in a cluster.
• Sealed Secrets - Kubernetes controller and tool for one-way encrypted Secrets.
• certificate-expiry-monitor - Utility that exposes the expiry of TLS certificates as Prometheus metrics.
• k-rail - Workload policy enforcement tool for Kubernetes.
• kube-forensics - Allows a cluster administrator to dump the current state of a running pod and all its containers so that security professionals can perform off-line forensic analysis.
• kube-hunter - Open-source tool that runs a set of tests ("hunters") for security issues in Kubernetes clusters from either outside ("attacker's view") or inside a cluster.
• kubernetes-event-exporter - Allows exporting the often missed Kubernetes events to various outputs so that they can be used for observability or alerting purposes.

Service meshes

See also ServiceMesh.es.

• Consul - Solution to connect and configure applications across dynamic, distributed infrastructure and, with Consul Connect, enabling secure service-to-service communication with automatic TLS encryption and identity-based authorization.
• Istio - Open platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data.

Communications security (COMSEC)

See also Transport-layer defenses.

• GPG Sync - Centralize and automate OpenPGP public key distribution, revocation, and updates amongst all members of an organization or team.
• Geneva (Genetic Evasion) - Novel experimental genetic algorithm that evolves packet-manipulation-based censorship evasion strategies against nation-state level censors to increase availability of otherwise blocked content.
• GlobaLeaks - Free, open source software enabling anyone to easily set up and maintain a secure whistleblowing platform.
• SecureDrop - Open source whistleblower submission system that media organizations and NGOs can install to securely accept documents from anonymous sources.
• Teleport - Allows engineers and security professionals to unify access for SSH servers, Kubernetes clusters, web applications, and databases across all environments.

DevSecOps

See also awesome-devsecops.

• Bane - Custom and better AppArmor profile generator for Docker containers.
• BlackBox - Safely store secrets in Git/Mercurial/Subversion by encrypting them "at rest" using GnuPG.
• Checkov - Static analysis for Terraform (infrastructure as code) to help detect CIS policy violations and prevent cloud security misconfiguration.
• Cilium - Open source software for transparently securing the network connectivity between application services deployed using Linux container management platforms like Docker and Kubernetes.
• Clair - Static analysis tool to probe for vulnerabilities introduced via application container (e.g., Docker) images.
• CodeQL - Discover vulnerabilities across a codebase by performing queries against code as though it were data.
• DefectDojo - Application vulnerability management tool built for DevOps and continuous security integration.
• Gauntlt - Pentest applications during routine continuous integration build pipelines.
• Git Secrets - Prevents you from committing passwords and other sensitive information to a git repository.
• SOPS - Editor of encrypted files that supports YAML, JSON, ENV, INI and binary formats and encrypts with AWS KMS, GCP KMS, Azure Key Vault, and PGP.
• Snyk - Finds and fixes vulnerabilities and license violations in open source dependencies and container images.
• SonarQube - Continuous inspection tool that provides detailed reports during automated testing and alerts on newly introduced security vulnerabilities.
• Trivy - Simple and comprehensive vulnerability scanner for containers and other artifacts, suitable for use in continuous integration pipelines.
• Vault - Tool for securely accessing secrets such as API keys, passwords, or certificates through a unified interface.
• git-crypt - Transparent file encryption in git; files which you choose to protect are encrypted when committed, and decrypted when checked out.
• helm-secrets - Helm plugin that helps manage secrets with Git workflow and stores them anywhere, backed by SOPS.
• terrascan - Static code analyzer for Infrastructure as Code tools that helps detect compliance and security violations to mitigate risk before provisioning cloud native resources.
• tfsec - Static analysis security scanner for your Terraform code designed to run locally and in CI pipelines.

Application or Binary Hardening

• DynInst - Tools for binary instrumentation, analysis, and modification, useful for binary patching.
• DynamoRIO - Runtime code manipulation system that supports code transformations on any part of a program, while it executes, implemented as a process-level virtual machine.
• Egalito - Binary recompiler and instrumentation framework that can fully disassemble, transform, and regenerate ordinary Linux binaries designed for binary hardening and security research.
• Valgrind - Instrumentation framework for building dynamic analysis tools.

Compliance testing and reporting

• Chef InSpec - Language for describing security and compliance rules, which become automated tests that can be run against IT infrastructures to discover and report on non-compliance.
• OpenSCAP Base - Both a library and a command line tool (oscap) used to evaluate a system against SCAP baseline profiles to report on the security posture of the scanned system(s).

Dependency confusion

See also § Supply chain security.

• Dependency Combobulator - Open source, modular and extensible framework to detect and prevent dependency confusion leakage and potential attacks.
• [Confusion