This service evaluates external network presence by executing continuous scans of public, static IPs for accessible services and vulnerabilities. It provides weekly vulnerability reports and ad-hoc alerts. See https://www.cisa.gov/cyber-resource-hub for details.
This service evaluates known and discovered publicly accessible websites for potential bugs and weak configuration to provide recommendations for mitigating web application security risks. See https://www.cisa.gov/cyber-resource-hub for details.
This service provides an opportunity for determining the potential susceptibility of personnel to phishing attacks. This is a practical exercise intended to support and measure the effectiveness of security awareness training. See https://www.cisa.gov/cyber-resource-hub for details.
This test simulates the tactics and techniques of real-world adversaries to identify and validate exploitable pathways. This service is ideal for testing perimeter defenses, the security of externally available applications, and the potential for exploitation of open source information. See https://www.cisa.gov/cyber-resource-hub for details.
SSL (Secure Socket Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. Cloudflare allows any internet property to use SSL with the click of a button.
Cybersecurity Evaluation Tool (CSET) and On-Site Cybersecurity Consulting
This tool assists organizations in protecting their key national cyber assets. The tool provides users with a systematic and repeatable approach to assessing the security posture of their cyber systems and networks. It includes both high-level and detailed questions related to all industrial control and IT systems.
This toolset identifies known phishing and malware across the web and helps notify users and website owners of potential harm. It is integrated into many major products and provides tools to webmasters.
Web Risk API is a User Protection Service from Google Cloud designed to reduce the risk of threats targeting user generated content. Web Risk API lets organizations compare URLs in their environment against a repository of over 1 million unsafe URLs.
This tool helps users strengthen their security posture by evaluating their security and data attack surface; providing asset inventory and discovery; identifying misconfigurations, vulnerabilities and threats; and helping them mitigate and remediate risks.
Security Scorecards is a collection of security health metrics for open source, allowing users to evaluate the security practices of an open source package before use. Results available publicly as a Google Cloud Big Query Dataset.
CRT is a free community tool designed to help organizations quickly and easily review excessive permissions in their Azure AD environments. CRT helps determine configuration weaknesses and provides advice to mitigate this risk.
This free version of a vulnerability assessment solution includes remote and local (authenticated) security checks, a client/server architecture with a web-based interface, and an embedded scripting language for writing your own plugins or understanding existing ones. Limited by default to 16 hosts.
Alien Labs Open Threat Exchange (OTX) Endpoint Security
This tool leverages data from Alien Labs OTX to help identify if endpoints have been compromised in major cyberattacks. Provides quick visibility into threats on all endpoints by scanning IOCs using OTX.
OTX provides open access to a global community of threat researchers and security professionals. It delivers community-generated threat data, enables collaborative research, and automates the process of updating security infrastructure with threat data from any source. OTX enables anyone in the security community to actively discuss, research, validate, and share the latest threat data, trends, and techniques.
ClamAV is an open-source (general public license [GPL]) antivirus engine used in a variety of situations, including email and web scanning, and endpoint security. It provides many utilities for users, including a flexible and scalable multi-threaded daemon, a command-line scanner, and an advanced tool for automatic database updates.
Cloudflare Zero Trust Services are essential security controls to keep employees and apps protected online across 3 network locations and up to 50 users. Services include: Zero Trust Network Access; Secure Web Gateway, Private Routing to IP/Hosts; HTTP/S Inspection and Filters; Network Firewall as a Service; DNS Resolution and Filters; and Cloud Access Security Broker.
Memory integrity in Windows—also known as Hypervisor-protected code integrity (HVCI)—is a Windows security feature that makes it difficult for malicious programs to use low-level drivers to hijack computers.
The RiskIQ community offers free access to internet intelligence, including thousands of OSINT articles and artifacts. Community users can investigate threats by pivoting through attacker infrastructure data, understand what digital assets are internet-exposed, and map and monitor their external attack surface.
IBM X-Force Exchange is a cloud-based threat intelligence platform that allows users to consume, share, and act on threat intelligence. It enables users to conduct rapid research of the latest global security threats, aggregate actionable intelligence, consult with experts, and collaborate with peers.
This early warning system for information security allows you to: create comprehensive visibility through graph-based mapping; know when assets change to stay ahead of the threat; and empower security operations to mitigate real-world threats.
This Java-based tool is used to find vulnerabilities in web applications. It includes a web traffic recorder, web spider, hash calculator, and a scanner for testing common web application attacks, such as SQL injection and cross-site scripting.
Nikto is an open source (GPL) web server scanner that performs vulnerability scanning against web servers for multiple items, including dangerous files and programs. Nitko checks for outdated versions of web server software. It also checks for server configuration errors and any possible vulnerabilities they might have introduced.
The PhishInSuits (pis.py) tool conducts security assessments and tests control frameworks against scenarios, such as BEC attacks. It combines this variation of illicit consent attacks with SMS-based phishing to emulate BEC campaigns and includes automated data-exfiltration capabilities.
The WhiskeySAML tool automates the remote extraction of an ADFS signing certificate. WhiskeySAML then uses this signing certificate to launch a Golden SAML attack and impersonate any user within the target organization.
Tachyon is a rapid web application security reconnaissance tool. It is designed to crawl a web application and look for leftover or non-indexed files with the addition of reporting pages or scripts leaking internal data (a.k.a “blind” crawling). It is used from the command line and targeted at a specific domain. Tachyon uses an internal database to construct these blind queries swiftly.
Vane2 is a WordPress site vulnerability scanner. It is meant to be targeted at WordPress websites and identifies the corresponding WordPress version as well as its installed plugins in order to report known vulnerabilities on each.
Batea is a practical application of machine learning for pentesting and network reconnaissance. It consumes map reports and uses a context-driven network device ranking framework based on the anomaly detection family of machine learning algorithms. The goal of Batea is to allow security teams to automatically filter interesting network assets in large networks using nmap scan reports.
This tool scans Infrastructure as Code (IaC), container images, open-source packages, and pipeline configuration for security errors. With hundreds of built-in policies, Checkov surfaces misconfigurations and vulnerabilities in code across developer tools (CLI, IDE) and workflows (CI/CD pipelines).
Palo Alto Networks Unit 42- Actionable Threat Objects and Mitigations (ATOMs)
Palo Alto Networks
ATOMs is a free repository of observed behaviors of several common threat adversaries, mapped to the MITRE ATT&CK framework. ATOMs can be filtered by targeted sector, region, or malware used for ease of information sharing and deployment of recommended security mitigations.
ClusterFuzz is a scalable fuzzing infrastructure that finds security and stability issues in software. It is also the fuzzing backend for Google OSS-Fuzz. ClusterFuzz Lite is simple CI-integrated fuzzing based on ClusterFuzz.
This tool is released by Microsoft on a monthly cadence as part of Windows Update or as a standalone tool. It can be used to find and remove specific prevalent threats and reverse the changes they have made.
This service identifies known phishing and malware across the web and helps notify users and website owners of potential harm. It is integrated into many major products and provides tools to webmasters.
This repository contains a PowerShell module for detecting artifacts that may be indicators of UNC2452 and other threat actor activity. Some indicators are “high-fidelity” indicators of compromise; other artifacts are so-called “dual-use” artifacts. Dual-use artifacts may be related to threat actor activity, but also may be related to legitimate functionality.
VirusTotal inspects items with over 70 antivirus scanners and URL/domain blocklisting services, in addition to a variety of tools, to extract signals from the studied content. Users can select a file from a computer via the browser and send it to VirusTotal. Submissions may be scripted in any programming language using the HTTP-based public API.
Netfilter is a packet filter implemented in the standard Linux kernel. The user space iptables tool is used for configuration. It supports packet filtering (stateless or stateful), many kinds of network address and port translation (NAT/NAPT), and multiple API layers for third-party extensions. It includes many different modules for handling unruly protocols, such as FTP.
Wireshark is an open-source multi-platform network protocol analyzer that allows users to examine data from a live network or from a capture file on disk. The tool can interactively browse capture data, delving down into just the level of packet detail needed. Wireshark has multiple features, including a rich display filter language and the ability to view the reconstructed stream of a TCP session. It also supports hundreds of protocols and media types.
Ettercap is a suite for adversary-in-the-middle attacks on LAN that includes sniffing of live connections, content filtering on the fly, and many other features. It supports active and passive dissection of many protocols (including ciphered protocols) and includes many features for network and host analysis.
Kismet is a console (ncurses)-based 802.11 layer-2 wireless network detector, sniffer, and intrusion detection system. It identifies networks by passively sniffing and can decloak hidden (non-beaconing) networks if they are in use. It can automatically detect network IP blocks by sniffing TCP, UDP, ARP, and DHCP packets, log traffic in Wireshark/tcpdump compatible format, and even plot detected networks and estimated ranges on downloaded maps.
This network intrusion detection and prevention system conducts traffic analysis and packet logging on IP networks. Through protocol analysis, content searching, and various pre-processors, Snort detects thousands of worms, vulnerability exploit attempts, port scans, and other suspicious behavior. Snort uses a flexible rule-based language to describe traffic that it should collect or pass, and a modular detection engine. The related free Basic Analysis and Security Engine (BASE) is a web interface for analyzing Snort alerts.
sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of back-end database servers. It comes with a broad range of features, from database fingerprinting to fetching data from the DB and accessing the underlying file system and executing OS commands via out-of-band connections.
Real Intelligence Threat Analytics (R-I-T-A) is an open-source framework for detecting command and control communication through network traffic analysis. The RITA framework ingests Zeek logs or PCAPs converted to Zeek logs for analysis.
Dalton is a system that allows a user to run network packet captures against a network sensor of their choice using defined rulesets and/or bespoke rules. Dalton covers Snort/Suricata/Zeek analysis in one system.
GRR Rapid Response is an incident response framework focused on remote live forensics. The goal of GRR is to support forensics and investigations in a fast, scalable manner to allow analysts to quickly triage attacks and perform analysis remotely.
PsExec is a lightweight telnet replacement that lets users execute processes on other systems (complete with full interactivity for console applications) without having to manually install client software. PsExec’s uses include launching interactive command-prompts on remote systems and remote-enabling tools such as IpConfig that otherwise do not have the ability to show information about remote systems.
This tool can be used when setting up an environment to analyze malware. It is a bare-metal hypervisor that installs directly onto a physical server, providing direct access to, and control of, underlying resources. It can be used to effectively partition hardware to consolidate applications.