# Awesome Killchain
[](https://awesome.re)
[](https://github.com/Vyntral/awesome-killchain/actions/workflows/build.yml)
[](https://github.com/Vyntral/awesome-killchain/stargazers)
[](https://github.com/Vyntral/awesome-killchain/commits)
[](LICENSE-CODE)
[](LICENSE-CONTENT)
[](https://x.com/vyntral)
🟢 115 active · 🟡 12 stale · 🔴 28 unmaintained · last refresh: 2026-06-02
## 📊 At a glance
**🏆 Top 5 by AKS Score (Awesome Killchain Score, 0–100):**
| | Tool | AKS | Stars |
|--|------|----:|------:|
| 🥇 | **[Ghidra](https://github.com/NationalSecurityAgency/ghidra)** | 98 | 69.1k |
| 🥈 | **[SecLists](https://github.com/danielmiessler/SecLists)** | 97 | 71.3k |
| 🥉 | **[Promptfoo](https://github.com/promptfoo/promptfoo)** | 97 | 21.8k |
| 4 | **[Trivy](https://github.com/aquasecurity/trivy)** | 96 | 35.3k |
| 5 | **[Maigret](https://github.com/soxoj/maigret)** | 96 | 31.2k |
📊 **[Full live dashboard →](DASHBOARD.md)** with ATT&CK heatmap, hidden gems, legacy brands, sankey flow, language/license breakdowns, and more (auto-refreshed daily).
## Why awesome-killchain?
The space already has [great awesome lists](https://github.com/Hack-with-Github/Awesome-Hacking). This one is different on purpose — it indexes tools by **MITRE ATT&CK tactic × target domain**, not alphabetically.
| | This list | Typical awesome list |
| --- | --- | --- |
| Organization | **MITRE ATT&CK tactic × target matrix** — find tools by the phase you're in, not alphabetically | Alphabetical, or one flat dump |
| Quality signals | **🟢🟡🔴 health auto-refreshed daily** by CI (stars, last release, archived flag) | Static markdown, link rot accumulates |
| Editorial value | Each tool has **`when_to_use`** (1-2 operational sentences) and **`alternatives`** | Just name + one-line description |
| Per-domain reference | **[Auto-generated cheatsheets](cheatsheets/)** — one per target (web, AD, cloud-aws, ai-llm, …) | None |
| Source of truth | YAML files in [`data/tools/`](data/tools/) — easy to contribute, easy to fork | Hand-edited markdown that drifts |
**Use this list when:** you want a workflow-driven reference that answers _"I'm in phase X targeting Y, what's the right tool?"_ with current, maintained options.
Defensive entries are mapped to the **MITRE D3FEND** countermeasure framework (Detection, Hardening, Isolation, Deception, Eviction, Restoration) — the official ATT&CK companion for defenders that no other awesome-list cites in earnest.
**Use [`enaqx/awesome-pentest`](https://github.com/enaqx/awesome-pentest) (26k★) or [`Hack-with-Github`](https://github.com/Hack-with-Github/Awesome-Hacking) (112k★) when:** you want broad alphabetical coverage of everything ever made.
### What we don't track
This list focuses on **tools with a public GitHub presence** so we can keep live metadata fresh. Essential commercial tools without a GitHub repo (Burp Suite, Cobalt Strike, KAPE, Nessus, etc.) are intentionally out of scope — they're widely covered elsewhere and we'd rather not pretend to track their freshness.
### Related projects worth knowing
- **[mukul975/Threatswarm](https://github.com/mukul975/Threatswarm)** — AI agents that *execute* kill-chain operations as a Claude Code plugin. Different category from this list (they run, we index), but the two complement: use this repo as the knowledge base for what to invoke.
## How to navigate
- 📂 **Browse by target:** see [cheatsheets/](cheatsheets/) for per-domain tool lists (web, cloud-aws, active-directory, ai-llm, ...)
- 📊 **See the live dashboard:** [DASHBOARD.md](DASHBOARD.md) — Mermaid charts of tool health, AKS distribution, ATT&CK coverage, top/bottom 10, hidden gems, and more, auto-refreshed daily
- 📖 **Read here:** scroll by ATT&CK tactic phase below
- 🎯 **Looking for a scenario?** see [Playbooks](#playbooks)
- 🔌 **Consume as data:** machine-readable `tools.json` available as [release asset](https://github.com/Vyntral/awesome-killchain/releases/latest) — schema + playbooks + taxonomy bundled
- 🪦 **Tools that died:** see [OBITUARIES.md](OBITUARIES.md) for the stories behind the 🔴 entries
- 💎 **One operator's picks:** see [stacks/](stacks/) for opinionated minimum-viable stacks (web BB, AD, AWS, mobile, AI, web3) with explicit rejections
- 🚨 **CVE responses:** see [cve-responses/](cve-responses/) for structured detection/exploitation/mitigation mappings when critical CVEs drop
## Legend
| Symbol | Meaning |
|--------|---------|
| 🟢🟡🔴 | Health (active / stale / unmaintained) |
| ⭐ N | GitHub stars (auto-refreshed daily) |
| ★ / ★★ / ★★★ | Beginner / Intermediate / Advanced |
| 💰 | Paid or freemium |
## Offensive (ATT&CK tactics)
### 🔍 Reconnaissance
#### 🌐 Web applications
(showing top 3 of 23 — see [full cheatsheet](cheatsheets/web.md))
- 🟢 **[Nuclei](https://github.com/projectdiscovery/nuclei)** ★★ ⭐29k · Go · MIT
Fast, customizable vulnerability scanner driven by YAML templates contributed by the community. _Use when: Run with web-specific templates from nuclei-templates/http/ — CVE-tagged templates for CMS vulnerabilities, exposed admin panels, and misconfiguration checks on web targets.
_ _Alternatives: jaeles, dalfox_
- 🟢 **[SpiderFoot](https://github.com/smicallef/spiderfoot)** ★★ ⭐18k · Python · MIT
Automated OSINT collection framework that correlates data across 200+ modules covering IPs, domains, emails, and threat intel feeds. _Use when: When you need fully automated, deep passive reconnaissance with correlated results across dozens of data sources; use recon-ng when you prefer manual module-by-module control.
_ _Alternatives: recon-ng_
- 🟢 **[Katana](https://github.com/projectdiscovery/katana)** ★★ ⭐16.9k · Go · MIT
Next-generation web crawler designed for automated endpoint discovery with JavaScript parsing and headless browser support. _Use when: When you have confirmed live web targets and need to map all reachable endpoints, forms, and JS-loaded paths before manual testing or automated scanning.
_ _Alternatives: gospider, hakrawler_
- _…and 20 more in [`cheatsheets/web.md`](cheatsheets/web.md)_
#### 🔌 APIs (REST, GraphQL, gRPC)
(showing top 3 of 9 — see [full cheatsheet](cheatsheets/api.md))
- 🟢 **[Nuclei](https://github.com/projectdiscovery/nuclei)** ★★ ⭐29k · Go · MIT
Fast, customizable vulnerability scanner driven by YAML templates contributed by the community. _Use when: Target with api/ and exposures/ templates to detect exposed Swagger/OpenAPI docs, authentication bypass endpoints, and API key leaks in responses.
_ _Alternatives: jaeles, dalfox_
- 🟢 **[ffuf](https://github.com/ffuf/ffuf)** ★ ⭐16.2k · Go · MIT
High-speed web fuzzer written in Go for directory/file discovery, parameter fuzzing, and vhost enumeration using wordlists. _Use when: When brute-forcing directories, endpoints, parameters, or virtual hosts against a web target; preferred over Gobuster for its filter flexibility and speed.
_ _Alternatives: feroxbuster, gobuster_
- 🟢 **[OWASP ZAP](https://github.com/zaproxy/zaproxy)** ★ ⭐15.2k · Java · Apache-2.0
Open-source web application security scanner maintained by OWASP, with automated scanning, spidering, and a proxy for manual testing. _Use when: When you need a free, fully automated web scanner or a Burp alternative in CI/CD pipelines where a headless/API-driven scan is required.
_ _Alternatives: burp-suite_
- _…and 6 more in [`cheatsheets/api.md`](cheatsheets/api.md)_
#### 🤖 Android
- 🟡 **[APKLeaks](https://github.com/dwisiswant0/apkleaks)** ★ ⭐6.1k · Python · Apache-2.0
Scans APK files for hardcoded URIs, endpoints, secrets, and API keys using regex pattern matching on decompiled code. _Use when: As a fast first step when receiving an Android APK to extract hardcoded secrets, API endpoints, and sensitive strings before deeper static or dynamic analysis.
_
#### 🌐 Network (IP, TCP/UDP, services)
(showing top 3 of 12 — see [full cheatsheet](cheatsheets/network.md))
- 🟢 **[Nuclei](https://github.com/projectdiscovery/nuclei)** ★★ ⭐29k · Go · MIT
Fast, customizable vulnerability scanner driven by YAML templates contributed by the community. _Use when: Use network/ and ssl/ templates for network service fingerprinting, protocol version detection, and SSL/TLS misconfiguration checks across port-scanned hosts.
_ _Alternatives: jaeles, dalfox_
- 🟢 **[Masscan](https://github.com/robertdavidgraham/masscan)** ★★ ⭐25.8k · C · AGPL-3.0
Fastest TCP/UDP port scanner capable of scanning the entire IPv4 internet in under six minutes using a custom async network stack. _Use when: When you need rapid port discovery across large CIDR ranges where nmap speed is insufficient; feed the open port list into nmap for service/version detection afterward.
_ _Alternatives: naabu, nmap_
- 🟢 **[Bettercap](https://github.com/bettercap/bettercap)** ★★ ⭐19.4k · Go · GPL-3.0
Extensible network attack and monitoring framework for ARP spoofing, DNS hijacking, Wi-Fi and BLE attacks, and HTTPS interception via a scriptable module system. _Use when: When performing man-in-the-middle attacks on local network segments or auditing Wi-Fi and BLE security; the interactive REPL and caplet scripting allow automated multi-stage network attack chains.
_
- _…and 9 more in [`cheatsheets/network.md`](cheatsheets/network.md)_
#### 🏛️ Active Directory
(showing top 3 of 4 — see [full cheatsheet](cheatsheets/active-directory.md))
- 🔴 **[Kerbrute](https://github.com/ropnop/kerbrute)** ★★ ⭐3.3k · Go · MIT
Fast Kerberos pre-auth brute-forcing and user enumeration tool that avoids traditional LDAP queries by speaking directly to the KDC. _Use when: When you need to enumerate valid AD usernames or spray passwords against Kerberos without triggering LDAP-based detection; combines with a user list from OSINT for AS-REP roasting prep.
_ _Alternatives: rubeus_
- 🟢 **[PingCastle](https://github.com/vletoux/pingcastle)** ★★ ⭐2.9k · C# · Non-Profit OSL 3.0
Active Directory security audit tool that produces risk-scored reports and graphs identifying misconfigurations and attack paths. _Use when: When you need a fast executive-ready AD health report with scored risk indicators; use BloodHound for interactive attack path visualization and lateral movement analysis.
_ _Alternatives: adrecon_
- 🟡 **[ldapdomaindump](https://github.com/dirkjanm/ldapdomaindump)** ★★ ⭐1.4k · Python · MIT
Active Directory information dumper via LDAP that exports users, groups, computers, and GPOs to structured JSON and HTML reports. _Use when: When you have valid domain credentials and want a quick structured dump of AD objects (users, groups, computers, policies) for offline analysis without installing BloodHound.
_ _Alternatives: bloodhound-python_
- _…and 1 more in [`cheatsheets/active-directory.md`](cheatsheets/active-directory.md)_
#### ☁️ AWS
(showing top 3 of 5 — see [full cheatsheet](cheatsheets/cloud-aws.md))
- 🟢 **[Prowler](https://github.com/prowler-cloud/prowler)** ★★ ⭐13.9k · Python · Apache-2.0
Cloud security tool for AWS, Azure, and GCP that runs hundreds of checks aligned to CIS benchmarks, NIST, and other compliance frameworks. _Use when: When you need compliance-oriented cloud posture assessment with exportable reports for client deliverables; pairs well with Pacu for offense-oriented follow-up on findings.
_ _Alternatives: cloudsploit, pacu_
- 🟡 **[ScoutSuite](https://github.com/nccgroup/ScoutSuite)** ★★ ⭐7.7k · Python · GPL-2.0
Multi-cloud security auditing tool that assesses AWS, Azure, GCP, and other cloud environments by collecting configuration data and flagging misconfigurations. _Use when: When assessing a cloud environment's security posture across IAM, storage, networking, and logging controls; generates an HTML report highlighting critical misconfigurations per service.
_ _Alternatives: prowler, cloudsploit_
- 🟢 **[Pacu](https://github.com/RhinoSecurityLabs/pacu)** ★★★ ⭐5.2k · Python · BSD-3-Clause
AWS exploitation framework for post-compromise enumeration, privilege escalation, and lateral movement within compromised AWS environments. _Use when: After obtaining AWS credentials during an engagement to enumerate IAM roles, escalate privileges via misconfigured policies, and pivot to other services within the account.
_ _Alternatives: cloudsploit, prowler_
- _…and 2 more in [`cheatsheets/cloud-aws.md`](cheatsheets/cloud-aws.md)_
#### ☁️ Google Cloud
- 🟢 **[Prowler](https://github.com/prowler-cloud/prowler)** ★★ ⭐13.9k · Python · Apache-2.0
Cloud security tool for AWS, Azure, and GCP that runs hundreds of checks aligned to CIS benchmarks, NIST, and other compliance frameworks. _Use when: When you need compliance-oriented cloud posture assessment with exportable reports for client deliverables; pairs well with Pacu for offense-oriented follow-up on findings.
_ _Alternatives: cloudsploit, pacu_
- 🟡 **[ScoutSuite](https://github.com/nccgroup/ScoutSuite)** ★★ ⭐7.7k · Python · GPL-2.0
Multi-cloud security auditing tool that assesses AWS, Azure, GCP, and other cloud environments by collecting configuration data and flagging misconfigurations. _Use when: When assessing a cloud environment's security posture across IAM, storage, networking, and logging controls; generates an HTML report highlighting critical misconfigurations per service.
_ _Alternatives: prowler, cloudsploit_
- 🟢 **[CloudSploit](https://github.com/aquasecurity/cloudsploit)** ★ ⭐3.7k · JavaScript · Apache-2.0
Open-source cloud security configuration scanner for AWS, Azure, GCP, and Oracle Cloud that checks for misconfigurations and compliance issues. _Use when: When starting a cloud security assessment to get a baseline of misconfigurations across an entire cloud account before diving into manual exploitation paths.
_ _Alternatives: prowler, pacu_
#### ☁️ Azure
(showing top 3 of 4 — see [full cheatsheet](cheatsheets/cloud-azure.md))
- 🟢 **[Prowler](https://github.com/prowler-cloud/prowler)** ★★ ⭐13.9k · Python · Apache-2.0
Cloud security tool for AWS, Azure, and GCP that runs hundreds of checks aligned to CIS benchmarks, NIST, and other compliance frameworks. _Use when: When you need compliance-oriented cloud posture assessment with exportable reports for client deliverables; pairs well with Pacu for offense-oriented follow-up on findings.
_ _Alternatives: cloudsploit, pacu_
- 🟡 **[ScoutSuite](https://github.com/nccgroup/ScoutSuite)** ★★ ⭐7.7k · Python · GPL-2.0
Multi-cloud security auditing tool that assesses AWS, Azure, GCP, and other cloud environments by collecting configuration data and flagging misconfigurations. _Use when: When assessing a cloud environment's security posture across IAM, storage, networking, and logging controls; generates an HTML report highlighting critical misconfigurations per service.
_ _Alternatives: prowler, cloudsploit_
- 🟢 **[CloudSploit](https://github.com/aquasecurity/cloudsploit)** ★ ⭐3.7k · JavaScript · Apache-2.0
Open-source cloud security configuration scanner for AWS, Azure, GCP, and Oracle Cloud that checks for misconfigurations and compliance issues. _Use when: When starting a cloud security assessment to get a baseline of misconfigurations across an entire cloud account before diving into manual exploitation paths.
_ _Alternatives: prowler, pacu_
- _…and 1 more in [`cheatsheets/cloud-azure.md`](cheatsheets/cloud-azure.md)_
#### ☁️ Cloud (generic / multi-cloud)
- 🟢 **[CloudSploit](https://github.com/aquasecurity/cloudsploit)** ★ ⭐3.7k · JavaScript · Apache-2.0
Open-source cloud security configuration scanner for AWS, Azure, GCP, and Oracle Cloud that checks for misconfigurations and compliance issues. _Use when: When starting a cloud security assessment to get a baseline of misconfigurations across an entire cloud account before diving into manual exploitation paths.
_ _Alternatives: prowler, pacu_
#### 🏭 ICS / SCADA
- 🟡 **[modbus-cli](https://github.com/tallakt/modbus-cli)** ★ ⭐114 · Ruby · MIT
Command-line client for reading from and writing to Modbus devices over TCP or serial connections. _Use when: When you need to quickly read registers or coils from a Modbus device during an ICS assessment to understand process data without writing custom code.
_
- 🔴 **[PLCscan](https://github.com/meeas/plcscan)** ★★ ⭐113 · Python · MIT
Scanner for detecting Siemens S7 and Modbus PLCs on a network during ICS security assessments. _Use when: When scoping an ICS/OT assessment and you need to identify reachable PLCs on a network segment. Use before deeper protocol-level testing with ISF or manual interaction.
_
#### 📶 Radio / wireless
- 🟢 **[Bettercap](https://github.com/bettercap/bettercap)** ★★ ⭐19.4k · Go · GPL-3.0
Extensible network attack and monitoring framework for ARP spoofing, DNS hijacking, Wi-Fi and BLE attacks, and HTTPS interception via a scriptable module system. _Use when: When performing man-in-the-middle attacks on local network segments or auditing Wi-Fi and BLE security; the interactive REPL and caplet scripting allow automated multi-stage network attack chains.
_
#### 🐳 Containers / Kubernetes
- 🔴 **[kube-hunter](https://github.com/aquasecurity/kube-hunter)** ★★ ⭐5.1k · Python · Apache-2.0
Kubernetes cluster penetration testing tool that hunts for security weaknesses from inside or outside the cluster, including RBAC misconfigurations and exposed APIs. _Use when: When testing a Kubernetes cluster for exposed API endpoints, privileged pods, or RBAC misconfigurations; run in remote mode from outside and passive mode from inside a compromised pod.
_ _Alternatives: kubescape_
### 🧰 Resource Development
#### 🌐 Network (IP, TCP/UDP, services)
- 🟢 **[Caldera](https://github.com/mitre/caldera)** ★★★ ⭐7k · Python · Apache-2.0
MITRE's automated adversary emulation platform that executes ATT&CK-mapped TTPs to test defenses. _Use when: Run network-targeted adversary profiles to validate lateral movement detection — test SMB, WMI, and SSH-based movement techniques with ATT&CK-mapped operations across network segments.
_ _Alternatives: atomic-red-team, stratus-red-team_
#### 🏛️ Active Directory
- 🟢 **[Caldera](https://github.com/mitre/caldera)** ★★★ ⭐7k · Python · Apache-2.0
MITRE's automated adversary emulation platform that executes ATT&CK-mapped TTPs to test defenses. _Use when: Deploy AD-specific adversary profiles (Kerberoasting, DCSync, pass-the-hash) to validate your EDR and SIEM detection coverage on domain-joined infrastructure before a real engagement.
_ _Alternatives: atomic-red-team, stratus-red-team_
#### ☁️ AWS
- 🟢 **[Stratus Red Team](https://github.com/DataDog/stratus-red-team)** ★★ ⭐2.3k · Go · Apache-2.0
Granular cloud-native adversary emulation tool with prebuilt attack techniques mapped to ATT&CK for AWS and Azure. _Use when: When validating cloud detection rules by executing isolated, reproducible ATT&CK techniques against your own AWS or Azure environment with automatic cleanup.
_ _Alternatives: atomic-red-team_
#### ☁️ Azure
- 🟢 **[Stratus Red Team](https://github.com/DataDog/stratus-red-team)** ★★ ⭐2.3k · Go · Apache-2.0
Granular cloud-native adversary emulation tool with prebuilt attack techniques mapped to ATT&CK for AWS and Azure. _Use when: When validating cloud detection rules by executing isolated, reproducible ATT&CK techniques against your own AWS or Azure environment with automatic cleanup.
_ _Alternatives: atomic-red-team_
### 🚪 Initial Access
#### 🌐 Web applications
- 🟢 **[Metasploit Framework](https://github.com/rapid7/metasploit-framework)** ★★ ⭐38.3k · Ruby · BSD-3-Clause
Widely-used penetration testing framework with a large library of exploits, payloads, and auxiliary modules for network and web attacks. _Use when: When you've identified a known CVE on a service and want a reliable, tested exploit with post-exploitation modules; use msfvenom for payload generation outside the interactive console.
_ _Alternatives: sliver, cobalt-strike_
- 🟡 **[Evilginx2](https://github.com/kgretzky/evilginx2)** ★★★ ⭐15.1k · Go · BSD-3-Clause
Man-in-the-middle phishing framework that captures session cookies and credentials by proxying authentication flows, bypassing MFA. _Use when: On red team engagements where the target uses MFA and standard credential phishing won't work; requires a convincing lookalike domain and valid TLS certificate to be effective.
_ _Alternatives: gophish, modlishka_
- 🔴 **[GoPhish](https://github.com/gophish/gophish)** ★ ⭐13.9k · Go · MIT
Open-source phishing simulation framework for building, launching, and tracking phishing campaigns against target organizations. _Use when: When scoping a phishing simulation or red team initial access phase; provides a built-in dashboard for tracking click rates and credential submissions per campaign.
_ _Alternatives: evilginx2, king-phisher_
#### 🌐 Network (IP, TCP/UDP, services)
- 🟢 **[Metasploit Framework](https://github.com/rapid7/metasploit-framework)** ★★ ⭐38.3k · Ruby · BSD-3-Clause
Widely-used penetration testing framework with a large library of exploits, payloads, and auxiliary modules for network and web attacks. _Use when: When you've identified a known CVE on a service and want a reliable, tested exploit with post-exploitation modules; use msfvenom for payload generation outside the interactive console.
_ _Alternatives: sliver, cobalt-strike_
- 🟢 **[Responder](https://github.com/lgandx/Responder)** ★★ ⭐6.5k · Python · GPL-3.0
LLMNR, NBT-NS, and MDNS poisoner that captures NTLMv1/v2 hashes from Windows hosts on the local network for offline cracking or relay attacks. _Use when: When you have network-level access to a Windows environment and want to passively capture NetNTLM hashes via protocol poisoning for cracking or relay with ntlmrelayx.
_ _Alternatives: inveigh_
#### 🏛️ Active Directory
- 🟢 **[Responder](https://github.com/lgandx/Responder)** ★★ ⭐6.5k · Python · GPL-3.0
LLMNR, NBT-NS, and MDNS poisoner that captures NTLMv1/v2 hashes from Windows hosts on the local network for offline cracking or relay attacks. _Use when: When you have network-level access to a Windows environment and want to passively capture NetNTLM hashes via protocol poisoning for cracking or relay with ntlmrelayx.
_ _Alternatives: inveigh_
### ▶️ Execution
#### 🌐 Web applications
- 🟢 **[Metasploit Framework](https://github.com/rapid7/metasploit-framework)** ★★ ⭐38.3k · Ruby · BSD-3-Clause
Widely-used penetration testing framework with a large library of exploits, payloads, and auxiliary modules for network and web attacks. _Use when: When you've identified a known CVE on a service and want a reliable, tested exploit with post-exploitation modules; use msfvenom for payload generation outside the interactive console.
_ _Alternatives: sliver, cobalt-strike_
#### 🌐 Network (IP, TCP/UDP, services)
(showing top 3 of 9 — see [full cheatsheet](cheatsheets/network.md))
- 🟢 **[Metasploit Framework](https://github.com/rapid7/metasploit-framework)** ★★ ⭐38.3k · Ruby · BSD-3-Clause
Widely-used penetration testing framework with a large library of exploits, payloads, and auxiliary modules for network and web attacks. _Use when: When you've identified a known CVE on a service and want a reliable, tested exploit with post-exploitation modules; use msfvenom for payload generation outside the interactive console.
_ _Alternatives: sliver, cobalt-strike_
- 🟢 **[Impacket](https://github.com/fortra/impacket)** ★★★ ⭐15.8k · Python · Apache-2.0
Python library implementing network protocols (SMB, MSRPC, Kerberos) with ready-made scripts for credential relay, remote execution, and AD attacks. _Use when: When performing SMB relay, remote execution (psexec, wmiexec), or Kerberos attacks like AS-REP roasting and DCSync in an Active Directory environment.
_ _Alternatives: crackmapexec, evil-winrm_
- 🟢 **[Sliver](https://github.com/BishopFox/sliver)** ★★★ ⭐11.3k · Go · GPL-3.0
Open-source cross-platform adversary simulation C2 framework supporting mTLS, WireGuard, HTTP/S, and DNS communication channels. _Use when: When you need a free, actively maintained C2 alternative to Cobalt Strike with modern implant generation and multiplayer operator support for red team operations.
_ _Alternatives: cobalt-strike, mythic_
- _…and 6 more in [`cheatsheets/network.md`](cheatsheets/network.md)_
#### 🏛️ Active Directory
(showing top 3 of 5 — see [full cheatsheet](cheatsheets/active-directory.md))
- 🟢 **[Impacket](https://github.com/fortra/impacket)** ★★★ ⭐15.8k · Python · Apache-2.0
Python library implementing network protocols (SMB, MSRPC, Kerberos) with ready-made scripts for credential relay, remote execution, and AD attacks. _Use when: When performing SMB relay, remote execution (psexec, wmiexec), or Kerberos attacks like AS-REP roasting and DCSync in an Active Directory environment.
_ _Alternatives: crackmapexec, evil-winrm_
- 🟢 **[Caldera](https://github.com/mitre/caldera)** ★★★ ⭐7k · Python · Apache-2.0
MITRE's automated adversary emulation platform that executes ATT&CK-mapped TTPs to test defenses. _Use when: Deploy AD-specific adversary profiles (Kerberoasting, DCSync, pass-the-hash) to validate your EDR and SIEM detection coverage on domain-joined infrastructure before a real engagement.
_ _Alternatives: atomic-red-team, stratus-red-team_
- 🟢 **[Evil-WinRM](https://github.com/Hackplayers/evil-winrm)** ★★ ⭐5.4k · Ruby · LGPL-3.0
WinRM shell for penetration testing that provides file transfer, in-memory PowerShell script loading, and pass-the-hash authentication support. _Use when: When WinRM (port 5985/5986) is open on a Windows target and you have valid credentials or an NTLM hash to obtain an interactive shell with built-in upload/download capability.
_ _Alternatives: impacket, crackmapexec_
- _…and 2 more in [`cheatsheets/active-directory.md`](cheatsheets/active-directory.md)_
### 📌 Persistence
#### 🏛️ Active Directory
- 🟢 **[Mimikatz](https://github.com/gentilkiwi/mimikatz)** ★★★ ⭐21.6k · C · CC-BY-4.0
Windows credential extraction tool that dumps plaintext passwords, NTLM hashes, Kerberos tickets, and other secrets from memory and registry. _Use when: After gaining SYSTEM or local admin on a Windows host to extract credential material for pass-the-hash, pass-the-ticket, or DCSync attacks in Active Directory environments.
_ _Alternatives: impacket, certipy_
- 🟢 **[Certipy](https://github.com/ly4k/Certipy)** ★★★ ⭐3.5k · Python · MIT
Active Directory Certificate Services (AD CS) attack tool for enumerating misconfigurations, forging certificates, and escalating privileges via ESC1-ESC13 attack paths. _Use when: When AD CS is deployed in the environment — enumerate certificate templates for ESC misconfigurations, then forge certificates to obtain domain admin credentials or persistent access.
_ _Alternatives: mimikatz_
### ⬆️ Privilege Escalation
#### 🌐 Network (IP, TCP/UDP, services)
(showing top 3 of 5 — see [full cheatsheet](cheatsheets/network.md))
- 🟢 **[LinPEAS](https://github.com/peass-ng/PEASS-ng)** ★ ⭐19.9k · Bash · MIT
Linux privilege escalation script that audits the system for misconfigurations, weak permissions, SUID binaries, and known CVEs. _Use when: Immediately after gaining a low-privilege shell on a Linux host to enumerate all privilege escalation vectors in one pass before manual analysis.
_ _Alternatives: peass-ng, linux-exploit-suggester_
- 🟢 **[PEASS-ng](https://github.com/peass-ng/PEASS-ng)** ★ ⭐19.9k · Bash · MIT
Suite containing LinPEAS and WinPEAS privilege escalation scripts for automated local enumeration on Linux, Windows, and macOS hosts. _Use when: When you need a single repository that covers both Linux and Windows privilege escalation enumeration; pull the relevant script (LinPEAS or WinPEAS) for the target OS.
_ _Alternatives: linpeas, winpeas_
- 🟢 **[WinPEAS](https://github.com/peass-ng/PEASS-ng)** ★ ⭐19.9k · C# · MIT
Windows privilege escalation script that checks for misconfigured services, unquoted paths, weak registry permissions, and stored credentials. _Use when: After landing a low-privilege shell on a Windows host to quickly enumerate escalation paths before manual review with tools like Seatbelt or PowerUp.
_ _Alternatives: seatbelt, powerup_
- _…and 2 more in [`cheatsheets/network.md`](cheatsheets/network.md)_
#### 🏛️ Active Directory
(showing top 3 of 4 — see [full cheatsheet](cheatsheets/active-directory.md))
- 🟢 **[WinPEAS](https://github.com/peass-ng/PEASS-ng)** ★ ⭐19.9k · C# · MIT
Windows privilege escalation script that checks for misconfigured services, unquoted paths, weak registry permissions, and stored credentials. _Use when: After landing a low-privilege shell on a Windows host to quickly enumerate escalation paths before manual review with tools like Seatbelt or PowerUp.
_ _Alternatives: seatbelt, powerup_
- 🔴 **[PowerUp](https://github.com/PowerShellMafia/PowerSploit)** ★★ ⭐13k · PowerShell · BSD-3-Clause
PowerShell script for identifying common Windows privilege escalation vectors such as unquoted service paths and modifiable service binaries. _Use when: When enumerating Windows privesc vectors on a low-privilege shell; note that the parent project PowerSploit is archived but PowerUp remains a valid technique reference and still functions on modern Windows hosts.
_ _Alternatives: winpeas, seatbelt_
- 🟡 **[Seatbelt](https://github.com/GhostPack/Seatbelt)** ★★ ⭐4.6k · C# · BSD-3-Clause
C# post-exploitation enumeration tool that runs a wide range of host-based security checks for situational awareness after gaining access to a Windows system. _Use when: After initial foothold on a Windows system to enumerate installed security products, credential stores, scheduled tasks, and other artifacts useful for planning next steps.
_ _Alternatives: winpeas, powerup_
- _…and 1 more in [`cheatsheets/active-directory.md`](cheatsheets/active-directory.md)_
#### ☁️ AWS
- 🟢 **[Pacu](https://github.com/RhinoSecurityLabs/pacu)** ★★★ ⭐5.2k · Python · BSD-3-Clause
AWS exploitation framework for post-compromise enumeration, privilege escalation, and lateral movement within compromised AWS environments. _Use when: After obtaining AWS credentials during an engagement to enumerate IAM roles, escalate privileges via misconfigured policies, and pivot to other services within the account.
_ _Alternatives: cloudsploit, prowler_
- 🔴 **[enumerate-iam](https://github.com/andresriancho/enumerate-iam)** ★★ ⭐1.2k · Python · MIT
Enumerates AWS IAM permissions for a given set of credentials by bruteforcing API calls and reporting allowed actions. _Use when: When you have AWS credentials of unknown privilege level and need to map all allowed actions before attempting privilege escalation; use Pacu for a full exploitation framework.
_ _Alternatives: pacu_
#### ☁️ Azure
- 🟢 **[MicroBurst](https://github.com/NetSPI/MicroBurst)** ★★ ⭐2.4k · PowerShell · MIT
PowerShell toolkit for Azure security assessment covering storage, Key Vault, Active Directory, and service enumeration. _Use when: During Azure red team engagements to enumerate resources, extract secrets from Key Vault and storage blobs, and identify misconfigured service principals.
_
#### 🐳 Containers / Kubernetes
- 🟢 **[Peirates](https://github.com/inguardians/peirates)** ★★★ ⭐1.4k · Go · GPL-2.0
Kubernetes penetration tool for attacking and maintaining access, including token theft, privilege escalation, and pod escape techniques. _Use when: When you have initial access to a Kubernetes pod and need to escalate privileges, steal service account tokens, or pivot to other namespaces and nodes.
_ _Alternatives: kube-hunter_
### 🥷 Defense Evasion
#### 🤖 Android
- 🟢 **[Objection](https://github.com/sensepost/objection)** ★★ ⭐9.2k · Python · GPL-3.0
Runtime mobile exploration toolkit built on Frida for bypassing SSL pinning, dumping keychain data, and exploring app internals without jailbreak or root. _Use when: When you need a higher-level interface over Frida to quickly bypass SSL pinning, list classes/methods, and explore app file system during a mobile penetration test.
_ _Alternatives: frida, mobsf_
#### 📱 iOS
- 🟢 **[Objection](https://github.com/sensepost/objection)** ★★ ⭐9.2k · Python · GPL-3.0
Runtime mobile exploration toolkit built on Frida for bypassing SSL pinning, dumping keychain data, and exploring app internals without jailbreak or root. _Use when: When you need a higher-level interface over Frida to quickly bypass SSL pinning, list classes/methods, and explore app file system during a mobile penetration test.
_ _Alternatives: frida, mobsf_
#### 🌐 Network (IP, TCP/UDP, services)
- 🔴 **[Havoc](https://github.com/HavocFramework/Havoc)** ★★★ ⭐8.4k · C++ · GPL-3.0
Modern red team C2 framework focused on evasion with a Demon implant supporting sleep obfuscation, indirect syscalls, and process injection. _Use when: When you need a modern open-source C2 with strong EDR evasion capabilities; the Demon agent's built-in obfuscation features make it suitable for engagements with mature defenses.
_ _Alternatives: sliver, cobalt-strike_
### 🔑 Credential Access
#### 🌐 Web applications
- 🟡 **[Evilginx2](https://github.com/kgretzky/evilginx2)** ★★★ ⭐15.1k · Go · BSD-3-Clause
Man-in-the-middle phishing framework that captures session cookies and credentials by proxying authentication flows, bypassing MFA. _Use when: On red team engagements where the target uses MFA and standard credential phishing won't work; requires a convincing lookalike domain and valid TLS certificate to be effective.
_ _Alternatives: gophish, modlishka_
- 🟢 **[THC Hydra](https://github.com/vanhauser-thc/thc-hydra)** ★★ ⭐11.9k · C · AGPL-3.0
Fast and parallelized network login cracker supporting over 50 protocols including SSH, FTP, HTTP, SMB, RDP, and database services. _Use when: When brute-forcing or credential-stuffing against a live network service (SSH, RDP, HTTP forms, SMB) with a known username list and password wordlist.
_ _Alternatives: hashcat, john-the-ripper_
#### 🌐 Network (IP, TCP/UDP, services)
(showing top 3 of 11 — see [full cheatsheet](cheatsheets/network.md))
- 🟢 **[Hashcat](https://github.com/hashcat/hashcat)** ★★ ⭐26.1k · C · MIT
World's fastest GPU-accelerated password recovery tool supporting 300+ hash types including NTLM, Kerberos, bcrypt, and WPA-PMKID. _Use when: When cracking captured hashes (NTLM, NTLMv2, AS-REP, TGS tickets) offline using GPU acceleration; pair with rockyou or custom rule-sets for AD password policy bypass.
_ _Alternatives: john-the-ripper_
- 🟢 **[Bettercap](https://github.com/bettercap/bettercap)** ★★ ⭐19.4k · Go · GPL-3.0
Extensible network attack and monitoring framework for ARP spoofing, DNS hijacking, Wi-Fi and BLE attacks, and HTTPS interception via a scriptable module system. _Use when: When performing man-in-the-middle attacks on local network segments or auditing Wi-Fi and BLE security; the interactive REPL and caplet scripting allow automated multi-stage network attack chains.
_
- 🟢 **[Impacket](https://github.com/fortra/impacket)** ★★★ ⭐15.8k · Python · Apache-2.0
Python library implementing network protocols (SMB, MSRPC, Kerberos) with ready-made scripts for credential relay, remote execution, and AD attacks. _Use when: When performing SMB relay, remote execution (psexec, wmiexec), or Kerberos attacks like AS-REP roasting and DCSync in an Active Directory environment.
_ _Alternatives: crackmapexec, evil-winrm_
- _…and 8 more in [`cheatsheets/network.md`](cheatsheets/network.md)_
#### 🏛️ Active Directory
(showing top 3 of 16 — see [full cheatsheet](cheatsheets/active-directory.md))
- 🟢 **[Hashcat](https://github.com/hashcat/hashcat)** ★★ ⭐26.1k · C · MIT
World's fastest GPU-accelerated password recovery tool supporting 300+ hash types including NTLM, Kerberos, bcrypt, and WPA-PMKID. _Use when: When cracking captured hashes (NTLM, NTLMv2, AS-REP, TGS tickets) offline using GPU acceleration; pair with rockyou or custom rule-sets for AD password policy bypass.
_ _Alternatives: john-the-ripper_
- 🟢 **[Mimikatz](https://github.com/gentilkiwi/mimikatz)** ★★★ ⭐21.6k · C · CC-BY-4.0
Windows credential extraction tool that dumps plaintext passwords, NTLM hashes, Kerberos tickets, and other secrets from memory and registry. _Use when: After gaining SYSTEM or local admin on a Windows host to extract credential material for pass-the-hash, pass-the-ticket, or DCSync attacks in Active Directory environments.
_ _Alternatives: impacket, certipy_
- 🟢 **[Impacket](https://github.com/fortra/impacket)** ★★★ ⭐15.8k · Python · Apache-2.0
Python library implementing network protocols (SMB, MSRPC, Kerberos) with ready-made scripts for credential relay, remote execution, and AD attacks. _Use when: When performing SMB relay, remote execution (psexec, wmiexec), or Kerberos attacks like AS-REP roasting and DCSync in an Active Directory environment.
_ _Alternatives: crackmapexec, evil-winrm_
- _…and 13 more in [`cheatsheets/active-directory.md`](cheatsheets/active-directory.md)_
#### 📶 Radio / wireless
- 🟢 **[Bettercap](https://github.com/bettercap/bettercap)** ★★ ⭐19.4k · Go · GPL-3.0
Extensible network attack and monitoring framework for ARP spoofing, DNS hijacking, Wi-Fi and BLE attacks, and HTTPS interception via a scriptable module system. _Use when: When performing man-in-the-middle attacks on local network segments or auditing Wi-Fi and BLE security; the interactive REPL and caplet scripting allow automated multi-stage network attack chains.
_
### 🗺️ Discovery
#### 🌐 Network (IP, TCP/UDP, services)
(showing top 3 of 4 — see [full cheatsheet](cheatsheets/network.md))
- 🟢 **[LinPEAS](https://github.com/peass-ng/PEASS-ng)** ★ ⭐19.9k · Bash · MIT
Linux privilege escalation script that audits the system for misconfigurations, weak permissions, SUID binaries, and known CVEs. _Use when: Immediately after gaining a low-privilege shell on a Linux host to enumerate all privilege escalation vectors in one pass before manual analysis.
_ _Alternatives: peass-ng, linux-exploit-suggester_
- 🟢 **[WinPEAS](https://github.com/peass-ng/PEASS-ng)** ★ ⭐19.9k · C# · MIT
Windows privilege escalation script that checks for misconfigured services, unquoted paths, weak registry permissions, and stored credentials. _Use when: After landing a low-privilege shell on a Windows host to quickly enumerate escalation paths before manual review with tools like Seatbelt or PowerUp.
_ _Alternatives: seatbelt, powerup_
- 🟢 **[NetExec](https://github.com/Pennyw0rth/NetExec)** ★★ ⭐5.6k · Python · BSD-2-Clause
Network pentesting framework for credential validation, lateral movement, and enumeration across SMB, WinRM, MSSQL, RDP, and other Windows protocols — the actively maintained successor to CrackMapExec. _Use when: When spraying or validating credentials across a Windows network, executing commands, or enumerating shares; use this in place of the archived CrackMapExec for continued feature updates and bug fixes.
_ _Alternatives: crackmapexec, impacket_
- _…and 1 more in [`cheatsheets/network.md`](cheatsheets/network.md)_
#### 🏛️ Active Directory
(showing top 3 of 9 — see [full cheatsheet](cheatsheets/active-directory.md))
- 🟢 **[WinPEAS](https://github.com/peass-ng/PEASS-ng)** ★ ⭐19.9k · C# · MIT
Windows privilege escalation script that checks for misconfigured services, unquoted paths, weak registry permissions, and stored credentials. _Use when: After landing a low-privilege shell on a Windows host to quickly enumerate escalation paths before manual review with tools like Seatbelt or PowerUp.
_ _Alternatives: seatbelt, powerup_
- 🟢 **[NetExec](https://github.com/Pennyw0rth/NetExec)** ★★ ⭐5.6k · Python · BSD-2-Clause
Network pentesting framework for credential validation, lateral movement, and enumeration across SMB, WinRM, MSSQL, RDP, and other Windows protocols — the actively maintained successor to CrackMapExec. _Use when: When spraying or validating credentials across a Windows network, executing commands, or enumerating shares; use this in place of the archived CrackMapExec for continued feature updates and bug fixes.
_ _Alternatives: crackmapexec, impacket_
- 🟡 **[Seatbelt](https://github.com/GhostPack/Seatbelt)** ★★ ⭐4.6k · C# · BSD-3-Clause
C# post-exploitation enumeration tool that runs a wide range of host-based security checks for situational awareness after gaining access to a Windows system. _Use when: After initial foothold on a Windows system to enumerate installed security products, credential stores, scheduled tasks, and other artifacts useful for planning next steps.
_ _Alternatives: winpeas, powerup_
- _…and 6 more in [`cheatsheets/active-directory.md`](cheatsheets/active-directory.md)_
#### ☁️ Azure
- 🟢 **[AzureHound](https://github.com/SpecterOps/AzureHound)** ★★★ ⭐918 · Go · Apache-2.0
BloodHound data collector for Azure and Azure Active Directory that maps attack paths across cloud and hybrid environments. _Use when: Run against the target tenant to collect Azure AD and Azure RBAC relationships; import into BloodHound CE to query cross-tenant privilege escalation paths and service principal abuse.
_ _Alternatives: bloodhound, sharphound_
### ↔️ Lateral Movement
#### 🌐 Network (IP, TCP/UDP, services)
(showing top 3 of 8 — see [full cheatsheet](cheatsheets/network.md))
- 🟢 **[Bettercap](https://github.com/bettercap/bettercap)** ★★ ⭐19.4k · Go · GPL-3.0
Extensible network attack and monitoring framework for ARP spoofing, DNS hijacking, Wi-Fi and BLE attacks, and HTTPS interception via a scriptable module system. _Use when: When performing man-in-the-middle attacks on local network segments or auditing Wi-Fi and BLE security; the interactive REPL and caplet scripting allow automated multi-stage network attack chains.
_
- 🟢 **[Chisel](https://github.com/jpillora/chisel)** ★★ ⭐16.1k · Go · MIT
Fast TCP/UDP tunnel over HTTP, secured with SSH, enabling reverse tunnels and port forwarding through firewalls from a single binary. _Use when: When you need to establish a reverse tunnel or pivot through a firewall with HTTP/HTTPS egress only, using a single static binary dropped on the compromised host.
_ _Alternatives: ligolo-ng_
- 🟢 **[Impacket](https://github.com/fortra/impacket)** ★★★ ⭐15.8k · Python · Apache-2.0
Python library implementing network protocols (SMB, MSRPC, Kerberos) with ready-made scripts for credential relay, remote execution, and AD attacks. _Use when: When performing SMB relay, remote execution (psexec, wmiexec), or Kerberos attacks like AS-REP roasting and DCSync in an Active Directory environment.
_ _Alternatives: crackmapexec, evil-winrm_
- _…and 5 more in [`cheatsheets/network.md`](cheatsheets/network.md)_
#### 🏛️ Active Directory
(showing top 3 of 8 — see [full cheatsheet](cheatsheets/active-directory.md))
- 🟢 **[Mimikatz](https://github.com/gentilkiwi/mimikatz)** ★★★ ⭐21.6k · C · CC-BY-4.0
Windows credential extraction tool that dumps plaintext passwords, NTLM hashes, Kerberos tickets, and other secrets from memory and registry. _Use when: After gaining SYSTEM or local admin on a Windows host to extract credential material for pass-the-hash, pass-the-ticket, or DCSync attacks in Active Directory environments.
_ _Alternatives: impacket, certipy_
- 🟢 **[Impacket](https://github.com/fortra/impacket)** ★★★ ⭐15.8k · Python · Apache-2.0
Python library implementing network protocols (SMB, MSRPC, Kerberos) with ready-made scripts for credential relay, remote execution, and AD attacks. _Use when: When performing SMB relay, remote execution (psexec, wmiexec), or Kerberos attacks like AS-REP roasting and DCSync in an Active Directory environment.
_ _Alternatives: crackmapexec, evil-winrm_
- 🔴 **[CrackMapExec](https://github.com/byt3bl33d3r/CrackMapExec)** ★★ ⭐9.1k · Python · BSD-2-Clause
Network pentesting swiss army knife for credential testing, lateral movement, and enumeration across SMB, WinRM, MSSQL, and other Windows protocols. _Use when: When spraying credentials or validating access across a subnet of Windows hosts; note that this project is archived — consider using its successor NetExec for active development and new features.
_ _Alternatives: impacket, evil-winrm_
- _…and 5 more in [`cheatsheets/active-directory.md`](cheatsheets/active-directory.md)_
#### ☁️ AWS
- 🟢 **[Pacu](https://github.com/RhinoSecurityLabs/pacu)** ★★★ ⭐5.2k · Python · BSD-3-Clause
AWS exploitation framework for post-compromise enumeration, privilege escalation, and lateral movement within compromised AWS environments. _Use when: After obtaining AWS credentials during an engagement to enumerate IAM roles, escalate privileges via misconfigured policies, and pivot to other services within the account.
_ _Alternatives: cloudsploit, prowler_
#### ☁️ Azure
- 🟢 **[AzureHound](https://github.com/SpecterOps/AzureHound)** ★★★ ⭐918 · Go · Apache-2.0
BloodHound data collector for Azure and Azure Active Directory that maps attack paths across cloud and hybrid environments. _Use when: Run against the target tenant to collect Azure AD and Azure RBAC relationships; import into BloodHound CE to query cross-tenant privilege escalation paths and service principal abuse.
_ _Alternatives: bloodhound, sharphound_
#### 📶 Radio / wireless
- 🟢 **[Bettercap](https://github.com/bettercap/bettercap)** ★★ ⭐19.4k · Go · GPL-3.0
Extensible network attack and monitoring framework for ARP spoofing, DNS hijacking, Wi-Fi and BLE attacks, and HTTPS interception via a scriptable module system. _Use when: When performing man-in-the-middle attacks on local network segments or auditing Wi-Fi and BLE security; the interactive REPL and caplet scripting allow automated multi-stage network attack chains.
_
#### 🐳 Containers / Kubernetes
- 🟢 **[Peirates](https://github.com/inguardians/peirates)** ★★★ ⭐1.4k · Go · GPL-2.0
Kubernetes penetration tool for attacking and maintaining access, including token theft, privilege escalation, and pod escape techniques. _Use when: When you have initial access to a Kubernetes pod and need to escalate privileges, steal service account tokens, or pivot to other namespaces and nodes.
_ _Alternatives: kube-hunter_
### 📦 Collection
#### 🌐 Network (IP, TCP/UDP, services)
- 🔴 **[Pillager](https://github.com/qwqdanchun/Pillager)** ★★★ ⭐1.3k · C++ · MIT
Post-exploitation collection tool for Windows that harvests credentials, tokens, cookies, and sensitive files from common application stores in a single sweep. _Use when: After obtaining a shell on a Windows host — runs a broad sweep of credential stores (browsers, SSH agents, RDP configs, application tokens) faster than manual enumeration. Pair with snaffler for share-based collection.
_ _Alternatives: snaffler_
#### 🏛️ Active Directory
- 🟢 **[Snaffler](https://github.com/SnaffCon/Snaffler)** ★★ ⭐2.8k · C# · GPL-3.0
Finds credentials, secrets, and sensitive files on network shares and file systems during internal penetration tests. _Use when: After obtaining domain user credentials on an internal engagement; automatically triage shares for passwords, keys, and sensitive config files faster than manual review.
_
- 🟢 **[Certify](https://github.com/GhostPack/Certify)** ★★★ ⭐2k · C# · BSD-3-Clause
C# tool for enumerating and abusing Active Directory Certificate Services misconfigurations to request certificates that enable privilege escalation or persistence. _Use when: On AD engagements where AD CS is deployed — enumerate certificate templates for ESC1–ESC8 misconfigurations, then request certs to obtain NTLM hashes or TGTs without touching LSASS. Use certipy for Linux-based equivalents.
_ _Alternatives: certipy_
- 🔴 **[Pillager](https://github.com/qwqdanchun/Pillager)** ★★★ ⭐1.3k · C++ · MIT
Post-exploitation collection tool for Windows that harvests credentials, tokens, cookies, and sensitive files from common application stores in a single sweep. _Use when: After obtaining a shell on a Windows host — runs a broad sweep of credential stores (browsers, SSH agents, RDP configs, application tokens) faster than manual enumeration. Pair with snaffler for share-based collection.
_ _Alternatives: snaffler_
### 📡 Command and Control (C2)
#### 🌐 Network (IP, TCP/UDP, services)
(showing top 3 of 10 — see [full cheatsheet](cheatsheets/network.md))
- 🟢 **[Chisel](https://github.com/jpillora/chisel)** ★★ ⭐16.1k · Go · MIT
Fast TCP/UDP tunnel over HTTP, secured with SSH, enabling reverse tunnels and port forwarding through firewalls from a single binary. _Use when: When you need to establish a reverse tunnel or pivot through a firewall with HTTP/HTTPS egress only, using a single static binary dropped on the compromised host.
_ _Alternatives: ligolo-ng_
- 🟢 **[Sliver](https://github.com/BishopFox/sliver)** ★★★ ⭐11.3k · Go · GPL-3.0
Open-source cross-platform adversary simulation C2 framework supporting mTLS, WireGuard, HTTP/S, and DNS communication channels. _Use when: When you need a free, actively maintained C2 alternative to Cobalt Strike with modern implant generation and multiplayer operator support for red team operations.
_ _Alternatives: cobalt-strike, mythic_
- 🔴 **[Havoc](https://github.com/HavocFramework/Havoc)** ★★★ ⭐8.4k · C++ · GPL-3.0
Modern red team C2 framework focused on evasion with a Demon implant supporting sleep obfuscation, indirect syscalls, and process injection. _Use when: When you need a modern open-source C2 with strong EDR evasion capabilities; the Demon agent's built-in obfuscation features make it suitable for engagements with mature defenses.
_ _Alternatives: sliver, cobalt-strike_
- _…and 7 more in [`cheatsheets/network.md`](cheatsheets/network.md)_
#### 🏛️ Active Directory
- 🟢 **[Empire](https://github.com/BC-SECURITY/Empire)** ★★★ ⭐5.2k · PowerShell · BSD-3-Clause
Post-exploitation C2 framework with PowerShell and Python agents supporting a wide range of modules for lateral movement and persistence. _Use when: When conducting Windows-focused red team operations requiring a mature agent with extensive post-exploitation modules; prefer Sliver or Havoc for more evasive, modern C2 profiles.
_ _Alternatives: sliver, mythic, havoc_
- 🔴 **[Covenant](https://github.com/cobbr/Covenant)** ★★★ ⭐4.7k · C# · GPL-3.0
.NET-based C2 framework with a web UI for collaborative red team operations, featuring Grunt implants. _Use when: When you need a .NET-native C2 with a collaborative web interface for multi-operator engagements. Good for Windows-heavy environments where .NET LOLbins are your primary execution path.
_ _Alternatives: empire, sliver, mythic_
### 📤 Exfiltration
#### 🌐 Network (IP, TCP/UDP, services)
- 🟡 **[Iodine](https://github.com/yarrick/iodine)** ★★ ⭐7.9k · C · ISC
Tool that tunnels IPv4 traffic over DNS to provide network connectivity through restrictive firewalls that permit DNS lookups. _Use when: When you need full IP tunnel capability over DNS rather than just C2 channels; useful for pivoting through egress-restricted networks where DNS is the only allowed protocol.
_ _Alternatives: dnscat2, dns2tcp_
- 🔴 **[dnscat2](https://github.com/iagox86/dnscat2)** ★★ ⭐3.9k · Ruby · BSD-3-Clause
DNS-based encrypted C2 and exfiltration tool that tunnels data through DNS queries to bypass network egress filtering. _Use when: When outbound HTTP/HTTPS is blocked but DNS resolution is allowed; requires control of a domain with a custom nameserver pointing to your dnscat2 server.
_ _Alternatives: iodine, dnsteal_
### 💥 Impact
#### 🌐 Web applications
- 🔴 **[Slowloris](https://github.com/gkbrk/slowloris)** ★ ⭐2.8k · Python · MIT
Low-bandwidth denial-of-service tool that holds HTTP connections open by sending partial requests, exhausting server connection pools without high throughput. _Use when: When testing a web server's resilience to connection-exhaustion DoS without large bandwidth — effective against Apache and other threaded servers; less effective against async servers like nginx. Use in authorized load/DoS testing only.
_
- 🔴 **[GoldenEye](https://github.com/jseidl/GoldenEye)** ★ ⭐1.5k · Python · GPL-3.0
HTTP DoS test tool that uses multiple concurrent HTTP/1.1 keep-alive connections with randomized headers and cache-control directives to stress HTTP servers. _Use when: When authorized to test HTTP-layer DoS resilience and want randomized headers to evade basic rate-limiting by IP; complements slowloris (different attack vector against the same connection-pool exhaustion class).
_ _Alternatives: slowloris_
#### 🌐 Network (IP, TCP/UDP, services)
- 🔴 **[Slowloris](https://github.com/gkbrk/slowloris)** ★ ⭐2.8k · Python · MIT
Low-bandwidth denial-of-service tool that holds HTTP connections open by sending partial requests, exhausting server connection pools without high throughput. _Use when: When testing a web server's resilience to connection-exhaustion DoS without large bandwidth — effective against Apache and other threaded servers; less effective against async servers like nginx. Use in authorized load/DoS testing only.
_
## Defensive (D3FEND-aligned lifecycle)
### 🛡️ Detection Engineering
#### 🌐 Web applications
- 🟢 **[Sigma](https://github.com/SigmaHQ/sigma)** ★★ ⭐10.5k · YAML · DRL-1.1
Generic and open signature format for SIEM systems — detection rules in YAML. _Use when: Target sigma/rules/web/ for web server and proxy log detections — SQLi, path traversal, webshell upload patterns; convert for your WAF or SIEM web log source.
_ _Alternatives: yara, snort-rules, suricata-rules_
- 🟡 **[dnstwist](https://github.com/elceef/dnstwist)** ★ ⭐5.7k · Python · Apache-2.0
Domain name permutation engine for detecting typosquatting, phishing, and brand abuse domains. _Use when: When you want to enumerate likely phishing or typosquatting domains for a brand, or during recon to discover attacker infrastructure registered with slight variations of your target domain.
_
#### 🌐 Network (IP, TCP/UDP, services)
(showing top 3 of 11 — see [full cheatsheet](cheatsheets/network.md))
- 🟢 **[osquery](https://github.com/osquery/osquery)** ★★ ⭐23.3k · C++ · Apache-2.0
Endpoint visibility tool that exposes the operating system as a relational database, enabling SQL-based queries against running processes, network connections, file events, and system state. _Use when: When you need continuous endpoint telemetry for detection rules or ad-hoc hunting queries without deploying a heavyweight EDR agent. Choose over Velociraptor for always-on scheduled queries integrated into a SIEM; choose Velociraptor for ad-hoc incident response artifact collection.
_ _Alternatives: velociraptor_
- 🟢 **[Wazuh](https://github.com/wazuh/wazuh)** ★★ ⭐15.8k · C · AGPL-3.0
Open-source security platform for threat detection, integrity monitoring, incident response, and compliance. _Use when: When you need an all-in-one SIEM with endpoint agents for log collection, FIM, and rule-based alerting without the cost of commercial platforms. Handles Windows, Linux, and cloud workloads from a single pane.
_
- 🟢 **[Atomic Red Team](https://github.com/redcanaryco/atomic-red-team)** ★★ ⭐12k · PowerShell · MIT
Library of small, portable tests mapped to MITRE ATT&CK for validating detection coverage and testing security controls in a repeatable way. _Use when: Run network-category atomics (T1021, T1046, T1572) in an isolated environment to confirm your SIEM creates the expected alerts for lateral movement and C2 channel techniques.
_ _Alternatives: caldera, sigma_
- _…and 8 more in [`cheatsheets/network.md`](cheatsheets/network.md)_
#### 🧠 AI / LLM systems
- 🟢 **[LLM Guard](https://github.com/protectai/llm-guard)** ★★ ⭐3k · Python · MIT
Modular input and output scanning framework for LLM applications with scanners for prompt injection, toxicity, PII, and secrets. _Use when: When you need a composable, production-ready guardrail layer with multiple independent scanners for both input sanitization and output validation in LLM pipelines.
_ _Alternatives: rebuff, vigil-llm_
- 🔴 **[Rebuff](https://github.com/protectai/rebuff)** ★★ ⭐1.5k · Python · Apache-2.0
Self-hardening prompt injection detector for LLM applications that uses a canary-token strategy and vector similarity to identify and log attack attempts. _Use when: When building LLM-powered applications that accept user input and need runtime protection against prompt injection attacks; integrates as middleware to intercept and flag malicious prompts before they reach the model.
_ _Alternatives: llm-guard, vigil-llm_
- 🔴 **[Vigil](https://github.com/deadbits/vigil-llm)** ★★ ⭐480 · Python · Apache-2.0
LLM prompt injection and jailbreak detection server that scans inputs and outputs against known attack patterns and embeddings. _Use when: When deploying an LLM-backed application and need runtime detection of prompt injection attempts; integrate as a middleware scanner before passing user input to the model.
_ _Alternatives: rebuff, llm-guard_
#### 🏛️ Active Directory
(showing top 3 of 5 — see [full cheatsheet](cheatsheets/active-directory.md))
- 🟢 **[osquery](https://github.com/osquery/osquery)** ★★ ⭐23.3k · C++ · Apache-2.0
Endpoint visibility tool that exposes the operating system as a relational database, enabling SQL-based queries against running processes, network connections, file events, and system state. _Use when: When you need continuous endpoint telemetry for detection rules or ad-hoc hunting queries without deploying a heavyweight EDR agent. Choose over Velociraptor for always-on scheduled queries integrated into a SIEM; choose Velociraptor for ad-hoc incident response artifact collection.
_ _Alternatives: velociraptor_
- 🟢 **[Wazuh](https://github.com/wazuh/wazuh)** ★★ ⭐15.8k · C · AGPL-3.0
Open-source security platform for threat detection, integrity monitoring, incident response, and compliance. _Use when: When you need an all-in-one SIEM with endpoint agents for log collection, FIM, and rule-based alerting without the cost of commercial platforms. Handles Windows, Linux, and cloud workloads from a single pane.
_
- 🟢 **[Atomic Red Team](https://github.com/redcanaryco/atomic-red-team)** ★★ ⭐12k · PowerShell · MIT
Library of small, portable tests mapped to MITRE ATT&CK for validating detection coverage and testing security controls in a repeatable way. _Use when: Execute AD-specific atomics (T1558, T1069, T1087) against a test domain to verify Kerberoasting, group enumeration, and LDAP query detections fire correctly in your SIEM.
_ _Alternatives: caldera, sigma_
- _…and 2 more in [`cheatsheets/active-directory.md`](cheatsheets/active-directory.md)_
#### ☁️ AWS
- 🟢 **[Sigma](https://github.com/SigmaHQ/sigma)** ★★ ⭐10.5k · YAML · DRL-1.1
Generic and open signature format for SIEM systems — detection rules in YAML. _Use when: Use the CloudTrail-focused Sigma rule pack from sigma/rules/cloud/aws/ — covers IAM enumeration, S3 abuse, Lambda persistence, and CloudTrail tampering patterns.
_ _Alternatives: yara, snort-rules, suricata-rules_
- 🟢 **[Stratus Red Team](https://github.com/DataDog/stratus-red-team)** ★★ ⭐2.3k · Go · Apache-2.0
Granular cloud-native adversary emulation tool with prebuilt attack techniques mapped to ATT&CK for AWS and Azure. _Use when: When validating cloud detection rules by executing isolated, reproducible ATT&CK techniques against your own AWS or Azure environment with automatic cleanup.
_ _Alternatives: atomic-red-team_
#### ☁️ Google Cloud
- 🟢 **[Sigma](https://github.com/SigmaHQ/sigma)** ★★ ⭐10.5k · YAML · DRL-1.1
Generic and open signature format for SIEM systems — detection rules in YAML. _Use when: Target sigma/rules/cloud/gcp/ for GCP-specific detections: GSuite admin audit, VPC flow anomalies, and service account key creation events.
_ _Alternatives: yara, snort-rules, suricata-rules_
#### ☁️ Azure
- 🟢 **[Sigma](https://github.com/SigmaHQ/sigma)** ★★ ⭐10.5k · YAML · DRL-1.1
Generic and open signature format for SIEM systems — detection rules in YAML. _Use when: Use the Sigma Azure ruleset under sigma/rules/cloud/azure/ — focus on Azure AD sign-in events, Resource Manager activity logs, and conditional access bypass detections.
_ _Alternatives: yara, snort-rules, suricata-rules_
- 🟢 **[Stratus Red Team](https://github.com/DataDog/stratus-red-team)** ★★ ⭐2.3k · Go · Apache-2.0
Granular cloud-native adversary emulation tool with prebuilt attack techniques mapped to ATT&CK for AWS and Azure. _Use when: When validating cloud detection rules by executing isolated, reproducible ATT&CK techniques against your own AWS or Azure environment with automatic cleanup.
_ _Alternatives: atomic-red-team_
#### ☁️ Cloud (generic / multi-cloud)
- 🟢 **[Falco](https://github.com/falcosecurity/falco)** ★★ ⭐9k · C++ · Apache-2.0
Cloud-native runtime security tool that detects anomalous container and host behavior using kernel system call monitoring and a rich rule language. _Use when: When deploying runtime threat detection in Kubernetes or bare-metal Linux environments; write custom rules to alert on privilege escalation, reverse shell spawning, or unexpected file access in production workloads.
_
#### 🐳 Containers / Kubernetes
- 🟢 **[Falco](https://github.com/falcosecurity/falco)** ★★ ⭐9k · C++ · Apache-2.0
Cloud-native runtime security tool that detects anomalous container and host behavior using kernel system call monitoring and a rich rule language. _Use when: When deploying runtime threat detection in Kubernetes or bare-metal Linux environments; write custom rules to alert on privilege escalation, reverse shell spawning, or unexpected file access in production workloads.
_
### 🎯 Threat Hunting
#### 🌐 Network (IP, TCP/UDP, services)
(showing top 3 of 11 — see [full cheatsheet](cheatsheets/network.md))
- 🟢 **[osquery](https://github.com/osquery/osquery)** ★★ ⭐23.3k · C++ · Apache-2.0
Endpoint visibility tool that exposes the operating system as a relational database, enabling SQL-based queries against running processes, network connections, file events, and system state. _Use when: When you need continuous endpoint telemetry for detection rules or ad-hoc hunting queries without deploying a heavyweight EDR agent. Choose over Velociraptor for always-on scheduled queries integrated into a SIEM; choose Velociraptor for ad-hoc incident response artifact collection.
_ _Alternatives: velociraptor_
- 🟢 **[Wazuh](https://github.com/wazuh/wazuh)** ★★ ⭐15.8k · C · AGPL-3.0
Open-source security platform for threat detection, integrity monitoring, incident response, and compliance. _Use when: When you need an all-in-one SIEM with endpoint agents for log collection, FIM, and rule-based alerting without the cost of commercial platforms. Handles Windows, Linux, and cloud workloads from a single pane.
_
- 🟢 **[Atomic Red Team](https://github.com/redcanaryco/atomic-red-team)** ★★ ⭐12k · PowerShell · MIT
Library of small, portable tests mapped to MITRE ATT&CK for validating detection coverage and testing security controls in a repeatable way. _Use when: Run network-category atomics (T1021, T1046, T1572) in an isolated environment to confirm your SIEM creates the expected alerts for lateral movement and C2 channel techniques.
_ _Alternatives: caldera, sigma_
- _…and 8 more in [`cheatsheets/network.md`](cheatsheets/network.md)_
#### 🏛️ Active Directory
(showing top 3 of 7 — see [full cheatsheet](cheatsheets/active-directory.md))
- 🟢 **[osquery](https://github.com/osquery/osquery)** ★★ ⭐23.3k · C++ · Apache-2.0
Endpoint visibility tool that exposes the operating system as a relational database, enabling SQL-based queries against running processes, network connections, file events, and system state. _Use when: When you need continuous endpoint telemetry for detection rules or ad-hoc hunting queries without deploying a heavyweight EDR agent. Choose over Velociraptor for always-on scheduled queries integrated into a SIEM; choose Velociraptor for ad-hoc incident response artifact collection.
_ _Alternatives: velociraptor_
- 🟢 **[Wazuh](https://github.com/wazuh/wazuh)** ★★ ⭐15.8k · C · AGPL-3.0
Open-source security platform for threat detection, integrity monitoring, incident response, and compliance. _Use when: When you need an all-in-one SIEM with endpoint agents for log collection, FIM, and rule-based alerting without the cost of commercial platforms. Handles Windows, Linux, and cloud workloads from a single pane.
_
- 🟢 **[Atomic Red Team](https://github.com/redcanaryco/atomic-red-team)** ★★ ⭐12k · PowerShell · MIT
Library of small, portable tests mapped to MITRE ATT&CK for validating detection coverage and testing security controls in a repeatable way. _Use when: Execute AD-specific atomics (T1558, T1069, T1087) against a test domain to verify Kerberoasting, group enumeration, and LDAP query detections fire correctly in your SIEM.
_ _Alternatives: caldera, sigma_
- _…and 4 more in [`cheatsheets/active-directory.md`](cheatsheets/active-directory.md)_
#### ☁️ AWS
- 🟢 **[MSTICPy](https://github.com/microsoft/msticpy)** ★★★ ⭐2k · Python · MIT
Python library of threat intelligence, hunting, and investigation tools built for Jupyter-based SOC workflows. _Use when: When you run Jupyter-based threat hunting and need pre-built connectors to Microsoft Sentinel, Defender, Azure, and AWS CloudTrail alongside enrichment from TI feeds — saves weeks of plumbing for SOC analysts.
_
#### ☁️ Azure
- 🟢 **[MSTICPy](https://github.com/microsoft/msticpy)** ★★★ ⭐2k · Python · MIT
Python library of threat intelligence, hunting, and investigation tools built for Jupyter-based SOC workflows. _Use when: When you run Jupyter-based threat hunting and need pre-built connectors to Microsoft Sentinel, Defender, Azure, and AWS CloudTrail alongside enrichment from TI feeds — saves weeks of plumbing for SOC analysts.
_
#### ☁️ Cloud (generic / multi-cloud)
- 🟢 **[Falco](https://github.com/falcosecurity/falco)** ★★ ⭐9k · C++ · Apache-2.0
Cloud-native runtime security tool that detects anomalous container and host behavior using kernel system call monitoring and a rich rule language. _Use when: When deploying runtime threat detection in Kubernetes or bare-metal Linux environments; write custom rules to alert on privilege escalation, reverse shell spawning, or unexpected file access in production workloads.
_
#### 🐳 Containers / Kubernetes
- 🟢 **[Falco](https://github.com/falcosecurity/falco)** ★★ ⭐9k · C++ · Apache-2.0
Cloud-native runtime security tool that detects anomalous container and host behavior using kernel system call monitoring and a rich rule language. _Use when: When deploying runtime threat detection in Kubernetes or bare-metal Linux environments; write custom rules to alert on privilege escalation, reverse shell spawning, or unexpected file access in production workloads.
_
### 🚨 Incident Response
#### 🌐 Network (IP, TCP/UDP, services)
(showing top 3 of 12 — see [full cheatsheet](cheatsheets/network.md))
- 🟢 **[GRR Rapid Response](https://github.com/google/grr)** ★★★ ⭐5.1k · Python · Apache-2.0
Remote live forensics framework by Google enabling fleet-wide artifact collection, memory analysis, and automated hunts across thousands of endpoints simultaneously. _Use when: When you need to hunt for IOCs or collect forensic artifacts across a large fleet (thousands of endpoints) without touching each machine individually. Choose over Velociraptor when you already have GRR deployed at scale and need its server-side hunt scheduling.
_ _Alternatives: velociraptor_
- 🟢 **[Volatility 3](https://github.com/volatilityfoundation/volatility3)** ★★★ ⭐4.2k · Python · Volatility
Memory forensics framework for extracting digital artifacts from RAM dumps across Windows, Linux, and macOS operating systems. _Use when: During incident response or forensic investigation when you have a memory image and need to recover processes, network connections, injected code, or encryption keys from RAM.
_ _Alternatives: rekall, redline_
- 🟢 **[Velociraptor](https://github.com/Velocidex/velociraptor)** ★★ ⭐4k · Go · AGPL-3.0
Endpoint visibility and collection tool for digital forensics, incident response, and threat hunting at scale. _Use when: When you need to collect forensic artifacts or run threat-hunting queries across hundreds of endpoints simultaneously. Preferable to manual triage when operating at enterprise scale.
_
- _…and 9 more in [`cheatsheets/network.md`](cheatsheets/network.md)_
#### 🏛️ Active Directory
(showing top 3 of 4 — see [full cheatsheet](cheatsheets/active-directory.md))
- 🟢 **[GRR Rapid Response](https://github.com/google/grr)** ★★★ ⭐5.1k · Python · Apache-2.0
Remote live forensics framework by Google enabling fleet-wide artifact collection, memory analysis, and automated hunts across thousands of endpoints simultaneously. _Use when: When you need to hunt for IOCs or collect forensic artifacts across a large fleet (thousands of endpoints) without touching each machine individually. Choose over Velociraptor when you already have GRR deployed at scale and need its server-side hunt scheduling.
_ _Alternatives: velociraptor_
- 🟢 **[Velociraptor](https://github.com/Velocidex/velociraptor)** ★★ ⭐4k · Go · AGPL-3.0
Endpoint visibility and collection tool for digital forensics, incident response, and threat hunting at scale. _Use when: When you need to collect forensic artifacts or run threat-hunting queries across hundreds of endpoints simultaneously. Preferable to manual triage when operating at enterprise scale.
_
- 🟢 **[Chainsaw](https://github.com/WithSecureLabs/chainsaw)** ★★ ⭐3.6k · Rust · GPL-3.0
Rust-based Windows event log forensics tool for rapid threat hunting using Sigma rules and built-in detection logic. _Use when: When performing first-response log triage on collected EVTX files to surface indicators of compromise; compare results with Hayabusa for cross-rule coverage.
_ _Alternatives: hayabusa_
- _…and 1 more in [`cheatsheets/active-directory.md`](cheatsheets/active-directory.md)_
#### ☁️ AWS
- 🟢 **[MSTICPy](https://github.com/microsoft/msticpy)** ★★★ ⭐2k · Python · MIT
Python library of threat intelligence, hunting, and investigation tools built for Jupyter-based SOC workflows. _Use when: When you run Jupyter-based threat hunting and need pre-built connectors to Microsoft Sentinel, Defender, Azure, and AWS CloudTrail alongside enrichment from TI feeds — saves weeks of plumbing for SOC analysts.
_
#### ☁️ Azure
- 🟢 **[MSTICPy](https://github.com/microsoft/msticpy)** ★★★ ⭐2k · Python · MIT
Python library of threat intelligence, hunting, and investigation tools built for Jupyter-based SOC workflows. _Use when: When you run Jupyter-based threat hunting and need pre-built connectors to Microsoft Sentinel, Defender, Azure, and AWS CloudTrail alongside enrichment from TI feeds — saves weeks of plumbing for SOC analysts.
_
### 🔬 Digital Forensics
#### 🌐 Network (IP, TCP/UDP, services)
(showing top 3 of 12 — see [full cheatsheet](cheatsheets/network.md))
- 🟢 **[Wireshark](https://github.com/wireshark/wireshark)** ★★ ⭐9.4k · C · GPL-2.0
Industry-standard network protocol analyzer for live capture and offline analysis of packet data with deep dissection of hundreds of protocols. _Use when: When analyzing captured network traffic to identify C2 communications, extract credentials from cleartext protocols, or reconstruct session data during incident response or network penetration testing.
_
- 🟢 **[Arkime](https://github.com/arkime/arkime)** ★★ ⭐7.4k · JavaScript · Apache-2.0
Full packet capture and indexing system (formerly Moloch) providing long-term PCAP storage with fast search, session reconstruction, and integration with Elasticsearch for large-scale network forensics. _Use when: When you need full PCAP retention at multi-gigabit rates with indexed search for retrospective investigation after a detection fires. Pair with Zeek for structured metadata and Arkime for raw packet access during the same investigation.
_
- 🟢 **[GRR Rapid Response](https://github.com/google/grr)** ★★★ ⭐5.1k · Python · Apache-2.0
Remote live forensics framework by Google enabling fleet-wide artifact collection, memory analysis, and automated hunts across thousands of endpoints simultaneously. _Use when: When you need to hunt for IOCs or collect forensic artifacts across a large fleet (thousands of endpoints) without touching each machine individually. Choose over Velociraptor when you already have GRR deployed at scale and need its server-side hunt scheduling.
_ _Alternatives: velociraptor_
- _…and 9 more in [`cheatsheets/network.md`](cheatsheets/network.md)_
#### 🏛️ Active Directory
(showing top 3 of 4 — see [full cheatsheet](cheatsheets/active-directory.md))
- 🟢 **[GRR Rapid Response](https://github.com/google/grr)** ★★★ ⭐5.1k · Python · Apache-2.0
Remote live forensics framework by Google enabling fleet-wide artifact collection, memory analysis, and automated hunts across thousands of endpoints simultaneously. _Use when: When you need to hunt for IOCs or collect forensic artifacts across a large fleet (thousands of endpoints) without touching each machine individually. Choose over Velociraptor when you already have GRR deployed at scale and need its server-side hunt scheduling.
_ _Alternatives: velociraptor_
- 🟢 **[Velociraptor](https://github.com/Velocidex/velociraptor)** ★★ ⭐4k · Go · AGPL-3.0
Endpoint visibility and collection tool for digital forensics, incident response, and threat hunting at scale. _Use when: When you need to collect forensic artifacts or run threat-hunting queries across hundreds of endpoints simultaneously. Preferable to manual triage when operating at enterprise scale.
_
- 🟢 **[Chainsaw](https://github.com/WithSecureLabs/chainsaw)** ★★ ⭐3.6k · Rust · GPL-3.0
Rust-based Windows event log forensics tool for rapid threat hunting using Sigma rules and built-in detection logic. _Use when: When performing first-response log triage on collected EVTX files to surface indicators of compromise; compare results with Hayabusa for cross-rule coverage.
_ _Alternatives: hayabusa_
- _…and 1 more in [`cheatsheets/active-directory.md`](cheatsheets/active-directory.md)_
#### 🔌 Hardware
- 🟢 **[Binwalk](https://github.com/ReFirmLabs/binwalk)** ★★ ⭐14k · Python · MIT
Firmware analysis and extraction tool that identifies embedded file systems, compressed archives, bootloaders, and other binary signatures within firmware images. _Use when: When analyzing IoT firmware images to extract filesystems, identify components, and locate hardcoded credentials or vulnerable libraries embedded within the firmware binary.
_
#### 📟 IoT devices
- 🟢 **[Binwalk](https://github.com/ReFirmLabs/binwalk)** ★★ ⭐14k · Python · MIT
Firmware analysis and extraction tool that identifies embedded file systems, compressed archives, bootloaders, and other binary signatures within firmware images. _Use when: When analyzing IoT firmware images to extract filesystems, identify components, and locate hardcoded credentials or vulnerable libraries embedded within the firmware binary.
_
### 🦠 Malware Analysis
#### 🤖 Android
- 🟢 **[Ghidra](https://github.com/NationalSecurityAgency/ghidra)** ★★★ ⭐69.1k · Java · Apache-2.0
NSA-developed software reverse engineering framework with disassembler, decompiler, and scripting API supporting x86, ARM, MIPS, and many other architectures. _Use when: When reversing compiled binaries, firmware, or malware samples where source code is unavailable; use the decompiler for rapid code comprehension and Python/Java scripts for automated analysis across large sample sets.
_ _Alternatives: radare2_
- 🟢 **[Radare2](https://github.com/radareorg/radare2)** ★★★ ⭐24k · C · LGPL-3.0
Portable reverse engineering framework with disassembler, debugger, binary analysis, and patching capabilities for dozens of CPU architectures and binary formats. _Use when: When performing low-level binary analysis, exploit development, or CTF reversing challenges that require fine-grained control over disassembly and memory; the r2pipe API enables scriptable analysis pipelines.
_ _Alternatives: ghidra_
#### 🌐 Network (IP, TCP/UDP, services)
(showing top 3 of 7 — see [full cheatsheet](cheatsheets/network.md))
- 🟢 **[Ghidra](https://github.com/NationalSecurityAgency/ghidra)** ★★★ ⭐69.1k · Java · Apache-2.0
NSA-developed software reverse engineering framework with disassembler, decompiler, and scripting API supporting x86, ARM, MIPS, and many other architectures. _Use when: When reversing compiled binaries, firmware, or malware samples where source code is unavailable; use the decompiler for rapid code comprehension and Python/Java scripts for automated analysis across large sample sets.
_ _Alternatives: radare2_
- 🟢 **[Radare2](https://github.com/radareorg/radare2)** ★★★ ⭐24k · C · LGPL-3.0
Portable reverse engineering framework with disassembler, debugger, binary analysis, and patching capabilities for dozens of CPU architectures and binary formats. _Use when: When performing low-level binary analysis, exploit development, or CTF reversing challenges that require fine-grained control over disassembly and memory; the r2pipe API enables scriptable analysis pipelines.
_ _Alternatives: ghidra_
- 🟢 **[YARA](https://github.com/VirusTotal/yara)** ★★ ⭐9.6k · C · BSD-3-Clause
Pattern matching tool for malware researchers that creates rules to identify and classify malware families based on textual or binary patterns. _Use when: When writing detection rules for malware samples or integrating signature-based detection into your SIEM, EDR, or incident response workflow for hunting known threat families.
_ _Alternatives: sigma, suricata_
- _…and 4 more in [`cheatsheets/network.md`](cheatsheets/network.md)_
### 🧠 Threat Intelligence
#### 🌐 Web applications
- 🟡 **[dnstwist](https://github.com/elceef/dnstwist)** ★ ⭐5.7k · Python · Apache-2.0
Domain name permutation engine for detecting typosquatting, phishing, and brand abuse domains. _Use when: When you want to enumerate likely phishing or typosquatting domains for a brand, or during recon to discover attacker infrastructure registered with slight variations of your target domain.
_
#### 🌐 Network (IP, TCP/UDP, services)
(showing top 3 of 7 — see [full cheatsheet](cheatsheets/network.md))
- 🟢 **[OpenCTI](https://github.com/OpenCTI-Platform/opencti)** ★★ ⭐9.5k · TypeScript · Apache-2.0
Open-source cyber threat intelligence platform with a knowledge graph that links threat actors, campaigns, TTPs, and observables. _Use when: When you need structured threat intelligence with entity relationships mapped to STIX 2.1 and MITRE ATT&CK; use MISP when the primary need is IoC sharing and correlation.
_ _Alternatives: misp_
- 🟢 **[MISP](https://github.com/MISP/MISP)** ★★ ⭐6.3k · PHP · AGPL-3.0
Open-source threat intelligence platform for sharing, storing, and correlating IoCs, malware, and threat actor TTPs. _Use when: When you need a collaborative threat intelligence platform to ingest, correlate, and share IoCs across teams or partner organizations; use OpenCTI when you need richer knowledge-graph relationships between threats.
_ _Alternatives: opencti_
- 🟡 **[dnstwist](https://github.com/elceef/dnstwist)** ★ ⭐5.7k · Python · Apache-2.0
Domain name permutation engine for detecting typosquatting, phishing, and brand abuse domains. _Use when: When you want to enumerate likely phishing or typosquatting domains for a brand, or during recon to discover attacker infrastructure registered with slight variations of your target domain.
_
- _…and 4 more in [`cheatsheets/network.md`](cheatsheets/network.md)_
#### ☁️ AWS
- 🟢 **[MSTICPy](https://github.com/microsoft/msticpy)** ★★★ ⭐2k · Python · MIT
Python library of threat intelligence, hunting, and investigation tools built for Jupyter-based SOC workflows. _Use when: When you run Jupyter-based threat hunting and need pre-built connectors to Microsoft Sentinel, Defender, Azure, and AWS CloudTrail alongside enrichment from TI feeds — saves weeks of plumbing for SOC analysts.
_
#### ☁️ Azure
- 🟢 **[MSTICPy](https://github.com/microsoft/msticpy)** ★★★ ⭐2k · Python · MIT
Python library of threat intelligence, hunting, and investigation tools built for Jupyter-based SOC workflows. _Use when: When you run Jupyter-based threat hunting and need pre-built connectors to Microsoft Sentinel, Defender, Azure, and AWS CloudTrail alongside enrichment from TI feeds — saves weeks of plumbing for SOC analysts.
_
### 🔗 SIEM & SOAR
#### 🌐 Network (IP, TCP/UDP, services)
- 🟢 **[Wazuh](https://github.com/wazuh/wazuh)** ★★ ⭐15.8k · C · AGPL-3.0
Open-source security platform for threat detection, integrity monitoring, incident response, and compliance. _Use when: When you need an all-in-one SIEM with endpoint agents for log collection, FIM, and rule-based alerting without the cost of commercial platforms. Handles Windows, Linux, and cloud workloads from a single pane.
_
#### 🏛️ Active Directory
- 🟢 **[Wazuh](https://github.com/wazuh/wazuh)** ★★ ⭐15.8k · C · AGPL-3.0
Open-source security platform for threat detection, integrity monitoring, incident response, and compliance. _Use when: When you need an all-in-one SIEM with endpoint agents for log collection, FIM, and rule-based alerting without the cost of commercial platforms. Handles Windows, Linux, and cloud workloads from a single pane.
_
## Cross-cutting
### 🧪 Vulnerability Discovery
#### 🌐 Web applications
(showing top 3 of 12 — see [full cheatsheet](cheatsheets/web.md))
- 🟢 **[sqlmap](https://github.com/sqlmapproject/sqlmap)** ★★ ⭐37.5k · Python · GPL-2.0
Automated SQL injection detection and exploitation tool that fingerprints databases and extracts data across all major DBMS platforms. _Use when: When you have identified a potentially injectable parameter in a web application and need to confirm exploitability and extract data from the backend database.
_ _Alternatives: commix_
- 🟢 **[Nuclei](https://github.com/projectdiscovery/nuclei)** ★★ ⭐29k · Go · MIT
Fast, customizable vulnerability scanner driven by YAML templates contributed by the community. _Use when: Run with web-specific templates from nuclei-templates/http/ — CVE-tagged templates for CMS vulnerabilities, exposed admin panels, and misconfiguration checks on web targets.
_ _Alternatives: jaeles, dalfox_
- 🟢 **[ffuf](https://github.com/ffuf/ffuf)** ★ ⭐16.2k · Go · MIT
High-speed web fuzzer written in Go for directory/file discovery, parameter fuzzing, and vhost enumeration using wordlists. _Use when: When brute-forcing directories, endpoints, parameters, or virtual hosts against a web target; preferred over Gobuster for its filter flexibility and speed.
_ _Alternatives: feroxbuster, gobuster_
- _…and 9 more in [`cheatsheets/web.md`](cheatsheets/web.md)_
#### 🔌 APIs (REST, GraphQL, gRPC)
(showing top 3 of 9 — see [full cheatsheet](cheatsheets/api.md))
- 🟢 **[sqlmap](https://github.com/sqlmapproject/sqlmap)** ★★ ⭐37.5k · Python · GPL-2.0
Automated SQL injection detection and exploitation tool that fingerprints databases and extracts data across all major DBMS platforms. _Use when: When you have identified a potentially injectable parameter in a web application and need to confirm exploitability and extract data from the backend database.
_ _Alternatives: commix_
- 🟢 **[Nuclei](https://github.com/projectdiscovery/nuclei)** ★★ ⭐29k · Go · MIT
Fast, customizable vulnerability scanner driven by YAML templates contributed by the community. _Use when: Target with api/ and exposures/ templates to detect exposed Swagger/OpenAPI docs, authentication bypass endpoints, and API key leaks in responses.
_ _Alternatives: jaeles, dalfox_
- 🟢 **[ffuf](https://github.com/ffuf/ffuf)** ★ ⭐16.2k · Go · MIT
High-speed web fuzzer written in Go for directory/file discovery, parameter fuzzing, and vhost enumeration using wordlists. _Use when: When brute-forcing directories, endpoints, parameters, or virtual hosts against a web target; preferred over Gobuster for its filter flexibility and speed.
_ _Alternatives: feroxbuster, gobuster_
- _…and 6 more in [`cheatsheets/api.md`](cheatsheets/api.md)_
#### 🤖 Android
(showing top 3 of 11 — see [full cheatsheet](cheatsheets/mobile-android.md))
- 🟢 **[Ghidra](https://github.com/NationalSecurityAgency/ghidra)** ★★★ ⭐69.1k · Java · Apache-2.0
NSA-developed software reverse engineering framework with disassembler, decompiler, and scripting API supporting x86, ARM, MIPS, and many other architectures. _Use when: When reversing compiled binaries, firmware, or malware samples where source code is unavailable; use the decompiler for rapid code comprehension and Python/Java scripts for automated analysis across large sample sets.
_ _Alternatives: radare2_
- 🟢 **[JADX](https://github.com/skylot/jadx)** ★★ ⭐48.8k · Java · Apache-2.0
Dex-to-Java decompiler that converts Android APK and DEX files into readable Java source code with a GUI and CLI for Android application reverse engineering. _Use when: When reverse engineering Android APKs to review business logic, find hardcoded secrets, or identify insecure API calls; the GUI makes navigating decompiled class hierarchies faster than command-line tools alone.
_ _Alternatives: apktool_
- 🟢 **[Apktool](https://github.com/iBotPeaches/Apktool)** ★★ ⭐24.7k · Java · Apache-2.0
Reverse engineering tool for Android APK files that decodes resources and disassembles Dalvik bytecode to smali for analysis and modification. _Use when: When statically analysing an Android APK to inspect permissions, decode resources, read smali code, or modify and repackage an app for dynamic testing.
_ _Alternatives: mobsf, frida_
- _…and 8 more in [`cheatsheets/mobile-android.md`](cheatsheets/mobile-android.md)_
#### 📱 iOS
(showing top 3 of 4 — see [full cheatsheet](cheatsheets/mobile-ios.md))
- 🟢 **[MobSF](https://github.com/MobSF/Mobile-Security-Framework-MobSF)** ★ ⭐21.1k · Python · GPL-3.0
All-in-one mobile security testing framework supporting static and dynamic analysis of Android APKs and iOS IPAs via a web-based interface. _Use when: When starting a mobile app assessment and wanting a quick automated static analysis report covering permissions, hardcoded secrets, and insecure API calls before manual testing.
_ _Alternatives: frida, objection_
- 🟢 **[Frida](https://github.com/frida/frida)** ★★★ ⭐20.8k · C · wxWindows
Dynamic instrumentation toolkit that injects JavaScript into native apps on Android, iOS, Windows, Linux, and macOS for runtime hooking and analysis. _Use when: When you need to hook API calls, bypass SSL pinning, trace function arguments, or patch runtime behavior in a mobile app without access to source code.
_ _Alternatives: objection, xposed_
- 🟢 **[Objection](https://github.com/sensepost/objection)** ★★ ⭐9.2k · Python · GPL-3.0
Runtime mobile exploration toolkit built on Frida for bypassing SSL pinning, dumping keychain data, and exploring app internals without jailbreak or root. _Use when: When you need a higher-level interface over Frida to quickly bypass SSL pinning, list classes/methods, and explore app file system during a mobile penetration test.
_ _Alternatives: frida, mobsf_
- _…and 1 more in [`cheatsheets/mobile-ios.md`](cheatsheets/mobile-ios.md)_
#### 🌐 Network (IP, TCP/UDP, services)
(showing top 3 of 4 — see [full cheatsheet](cheatsheets/network.md))
- 🟢 **[Ghidra](https://github.com/NationalSecurityAgency/ghidra)** ★★★ ⭐69.1k · Java · Apache-2.0
NSA-developed software reverse engineering framework with disassembler, decompiler, and scripting API supporting x86, ARM, MIPS, and many other architectures. _Use when: When reversing compiled binaries, firmware, or malware samples where source code is unavailable; use the decompiler for rapid code comprehension and Python/Java scripts for automated analysis across large sample sets.
_ _Alternatives: radare2_
- 🟢 **[Nuclei](https://github.com/projectdiscovery/nuclei)** ★★ ⭐29k · Go · MIT
Fast, customizable vulnerability scanner driven by YAML templates contributed by the community. _Use when: Use network/ and ssl/ templates for network service fingerprinting, protocol version detection, and SSL/TLS misconfiguration checks across port-scanned hosts.
_ _Alternatives: jaeles, dalfox_
- 🟢 **[Radare2](https://github.com/radareorg/radare2)** ★★★ ⭐24k · C · LGPL-3.0
Portable reverse engineering framework with disassembler, debugger, binary analysis, and patching capabilities for dozens of CPU architectures and binary formats. _Use when: When performing low-level binary analysis, exploit development, or CTF reversing challenges that require fine-grained control over disassembly and memory; the r2pipe API enables scriptable analysis pipelines.
_ _Alternatives: ghidra_
- _…and 1 more in [`cheatsheets/network.md`](cheatsheets/network.md)_
#### 🧠 AI / LLM systems
(showing top 3 of 5 — see [full cheatsheet](cheatsheets/ai-llm.md))
- 🟢 **[Promptfoo](https://github.com/promptfoo/promptfoo)** ★ ⭐21.8k · TypeScript · MIT
Open-source LLM testing framework for red-teaming, prompt injection testing, and evaluating AI model outputs against security and safety policies. _Use when: When assessing an AI application for prompt injection, jailbreaks, or data leakage; configure test cases declaratively in YAML and run automated red-team probes against any LLM endpoint.
_ _Alternatives: garak, pyrit_
- 🟢 **[garak](https://github.com/NVIDIA/garak)** ★★ ⭐8k · Python · Apache-2.0
LLM vulnerability scanner — probes models for prompt injection, jailbreaks, toxicity, hallucinations, data leakage. _Use when: When red-teaming an LLM application or evaluating a model release. Modular probes cover OWASP LLM Top 10 categories; outputs structured reports suitable for engagement deliverables.
_ _Alternatives: promptfoo, pyrit, llm-attacks_
- 🔴 **[llm-attacks](https://github.com/llm-attacks/llm-attacks)** ★★★ ⭐4.7k · Python · MIT
Research framework implementing universal and transferable adversarial attacks (GCG suffix optimization) against aligned large language models to elicit harmful outputs. _Use when: When red-teaming LLM safety mechanisms by generating adversarial suffixes that transfer across models; use in an isolated research environment to evaluate model robustness to gradient-based jailbreak attacks.
_ _Alternatives: garak, pyrit_
- _…and 2 more in [`cheatsheets/ai-llm.md`](cheatsheets/ai-llm.md)_
#### ⛓️ Blockchain / Web3
(showing top 3 of 6 — see [full cheatsheet](cheatsheets/blockchain-web3.md))
- 🟢 **[Foundry](https://github.com/foundry-rs/foundry)** ★★ ⭐10.4k · Rust · Apache-2.0
Blazing-fast Ethereum development toolkit with built-in fuzzer (Forge), cast CLI, and Anvil local testnet for smart contract testing and exploit PoC development. _Use when: When writing fuzz tests or PoC exploits for smart contracts; Forge's invariant fuzzer finds edge cases that manual review misses, and Anvil lets you fork mainnet to reproduce live exploits locally.
_
- 🟢 **[Slither](https://github.com/crytic/slither)** ★★ ⭐6.3k · Python · AGPL-3.0
Static analysis framework for Solidity smart contracts that detects vulnerabilities, code quality issues, and anti-patterns using a suite of built-in and custom detectors. _Use when: When auditing Solidity contracts for reentrancy, integer overflow, access control flaws, and other common smart contract vulnerabilities before deployment or during a bug bounty engagement.
_ _Alternatives: mythril_
- 🟢 **[Mythril](https://github.com/Consensys/mythril)** ★★★ ⭐4.2k · Python · MIT
Security analysis tool for EVM bytecode using symbolic execution, SMT solving, and taint analysis to detect smart contract vulnerabilities at the bytecode level. _Use when: When performing deep symbolic execution analysis on Solidity or EVM bytecode to uncover logic flaws that static analysis misses; slower than Slither but catches complex multi-transaction vulnerabilities.
_ _Alternatives: slither_
- _…and 3 more in [`cheatsheets/blockchain-web3.md`](cheatsheets/blockchain-web3.md)_
#### 🏛️ Active Directory
- 🟢 **[PingCastle](https://github.com/vletoux/pingcastle)** ★★ ⭐2.9k · C# · Non-Profit OSL 3.0
Active Directory security audit tool that produces risk-scored reports and graphs identifying misconfigurations and attack paths. _Use when: When you need a fast executive-ready AD health report with scored risk indicators; use BloodHound for interactive attack path visualization and lateral movement analysis.
_ _Alternatives: adrecon_
#### ☁️ AWS
- 🟢 **[Prowler](https://github.com/prowler-cloud/prowler)** ★★ ⭐13.9k · Python · Apache-2.0
Cloud security tool for AWS, Azure, and GCP that runs hundreds of checks aligned to CIS benchmarks, NIST, and other compliance frameworks. _Use when: When you need compliance-oriented cloud posture assessment with exportable reports for client deliverables; pairs well with Pacu for offense-oriented follow-up on findings.
_ _Alternatives: cloudsploit, pacu_
- 🟡 **[ScoutSuite](https://github.com/nccgroup/ScoutSuite)** ★★ ⭐7.7k · Python · GPL-2.0
Multi-cloud security auditing tool that assesses AWS, Azure, GCP, and other cloud environments by collecting configuration data and flagging misconfigurations. _Use when: When assessing a cloud environment's security posture across IAM, storage, networking, and logging controls; generates an HTML report highlighting critical misconfigurations per service.
_ _Alternatives: prowler, cloudsploit_
- 🟢 **[CloudSploit](https://github.com/aquasecurity/cloudsploit)** ★ ⭐3.7k · JavaScript · Apache-2.0
Open-source cloud security configuration scanner for AWS, Azure, GCP, and Oracle Cloud that checks for misconfigurations and compliance issues. _Use when: When starting a cloud security assessment to get a baseline of misconfigurations across an entire cloud account before diving into manual exploitation paths.
_ _Alternatives: prowler, pacu_
#### ☁️ Google Cloud
- 🟢 **[Prowler](https://github.com/prowler-cloud/prowler)** ★★ ⭐13.9k · Python · Apache-2.0
Cloud security tool for AWS, Azure, and GCP that runs hundreds of checks aligned to CIS benchmarks, NIST, and other compliance frameworks. _Use when: When you need compliance-oriented cloud posture assessment with exportable reports for client deliverables; pairs well with Pacu for offense-oriented follow-up on findings.
_ _Alternatives: cloudsploit, pacu_
- 🟡 **[ScoutSuite](https://github.com/nccgroup/ScoutSuite)** ★★ ⭐7.7k · Python · GPL-2.0
Multi-cloud security auditing tool that assesses AWS, Azure, GCP, and other cloud environments by collecting configuration data and flagging misconfigurations. _Use when: When assessing a cloud environment's security posture across IAM, storage, networking, and logging controls; generates an HTML report highlighting critical misconfigurations per service.
_ _Alternatives: prowler, cloudsploit_
- 🟢 **[CloudSploit](https://github.com/aquasecurity/cloudsploit)** ★ ⭐3.7k · JavaScript · Apache-2.0
Open-source cloud security configuration scanner for AWS, Azure, GCP, and Oracle Cloud that checks for misconfigurations and compliance issues. _Use when: When starting a cloud security assessment to get a baseline of misconfigurations across an entire cloud account before diving into manual exploitation paths.
_ _Alternatives: prowler, pacu_
#### ☁️ Azure
(showing top 3 of 4 — see [full cheatsheet](cheatsheets/cloud-azure.md))
- 🟢 **[Prowler](https://github.com/prowler-cloud/prowler)** ★★ ⭐13.9k · Python · Apache-2.0
Cloud security tool for AWS, Azure, and GCP that runs hundreds of checks aligned to CIS benchmarks, NIST, and other compliance frameworks. _Use when: When you need compliance-oriented cloud posture assessment with exportable reports for client deliverables; pairs well with Pacu for offense-oriented follow-up on findings.
_ _Alternatives: cloudsploit, pacu_
- 🟡 **[ScoutSuite](https://github.com/nccgroup/ScoutSuite)** ★★ ⭐7.7k · Python · GPL-2.0
Multi-cloud security auditing tool that assesses AWS, Azure, GCP, and other cloud environments by collecting configuration data and flagging misconfigurations. _Use when: When assessing a cloud environment's security posture across IAM, storage, networking, and logging controls; generates an HTML report highlighting critical misconfigurations per service.
_ _Alternatives: prowler, cloudsploit_
- 🟢 **[CloudSploit](https://github.com/aquasecurity/cloudsploit)** ★ ⭐3.7k · JavaScript · Apache-2.0
Open-source cloud security configuration scanner for AWS, Azure, GCP, and Oracle Cloud that checks for misconfigurations and compliance issues. _Use when: When starting a cloud security assessment to get a baseline of misconfigurations across an entire cloud account before diving into manual exploitation paths.
_ _Alternatives: prowler, pacu_
- _…and 1 more in [`cheatsheets/cloud-azure.md`](cheatsheets/cloud-azure.md)_
#### ☁️ Cloud (generic / multi-cloud)
- 🟢 **[Trivy](https://github.com/aquasecurity/trivy)** ★ ⭐35.3k · Go · Apache-2.0
Comprehensive vulnerability and misconfiguration scanner for containers, filesystems, IaC templates, and Kubernetes clusters with CVE database integration. _Use when: When scanning container images or Kubernetes manifests for known CVEs and IaC misconfigurations; integrates natively into CI pipelines for shift-left security scanning.
_ _Alternatives: grype_
- 🟢 **[CloudSploit](https://github.com/aquasecurity/cloudsploit)** ★ ⭐3.7k · JavaScript · Apache-2.0
Open-source cloud security configuration scanner for AWS, Azure, GCP, and Oracle Cloud that checks for misconfigurations and compliance issues. _Use when: When starting a cloud security assessment to get a baseline of misconfigurations across an entire cloud account before diving into manual exploitation paths.
_ _Alternatives: prowler, pacu_
#### 🔌 Hardware
- 🟢 **[Binwalk](https://github.com/ReFirmLabs/binwalk)** ★★ ⭐14k · Python · MIT
Firmware analysis and extraction tool that identifies embedded file systems, compressed archives, bootloaders, and other binary signatures within firmware images. _Use when: When analyzing IoT firmware images to extract filesystems, identify components, and locate hardcoded credentials or vulnerable libraries embedded within the firmware binary.
_
#### 📟 IoT devices
- 🟢 **[Binwalk](https://github.com/ReFirmLabs/binwalk)** ★★ ⭐14k · Python · MIT
Firmware analysis and extraction tool that identifies embedded file systems, compressed archives, bootloaders, and other binary signatures within firmware images. _Use when: When analyzing IoT firmware images to extract filesystems, identify components, and locate hardcoded credentials or vulnerable libraries embedded within the firmware binary.
_
#### 🏭 ICS / SCADA
- 🔴 **[ISF (ICSSPLOIT)](https://github.com/dark-lbp/isf)** ★★★ ⭐1.1k · Python · BSD-2-Clause
ICS/SCADA exploitation framework modeled after Metasploit for testing industrial control systems. _Use when: When performing authorized ICS/OT security assessments and you need a structured framework for exploiting Modbus, DNP3, S7, and other industrial protocols — not for use on live production environments.
_
- 🔴 **[PLCscan](https://github.com/meeas/plcscan)** ★★ ⭐113 · Python · MIT
Scanner for detecting Siemens S7 and Modbus PLCs on a network during ICS security assessments. _Use when: When scoping an ICS/OT assessment and you need to identify reachable PLCs on a network segment. Use before deeper protocol-level testing with ISF or manual interaction.
_
#### 🐳 Containers / Kubernetes
(showing top 3 of 5 — see [full cheatsheet](cheatsheets/containers-k8s.md))
- 🟢 **[Trivy](https://github.com/aquasecurity/trivy)** ★ ⭐35.3k · Go · Apache-2.0
Comprehensive vulnerability and misconfiguration scanner for containers, filesystems, IaC templates, and Kubernetes clusters with CVE database integration. _Use when: When scanning container images or Kubernetes manifests for known CVEs and IaC misconfigurations; integrates natively into CI pipelines for shift-left security scanning.
_ _Alternatives: grype_
- 🟢 **[Grype](https://github.com/anchore/grype)** ★ ⭐12.3k · Go · Apache-2.0
Fast vulnerability scanner for container images and filesystems that matches SBOMs against multiple CVE databases including NVD, GHSA, and OS vendor feeds. _Use when: When scanning container images for known vulnerabilities with SBOM-aware analysis; pairs with Syft for SBOM generation and provides richer match context than Trivy for anchored environments.
_ _Alternatives: trivy_
- 🟢 **[Kubescape](https://github.com/kubescape/kubescape)** ★ ⭐11.4k · Go · Apache-2.0
Kubernetes security posture management tool that scans clusters and manifests against NSA/CISA hardening guidelines and the MITRE ATT&CK framework. _Use when: When evaluating a Kubernetes cluster's compliance with security benchmarks; run against live clusters or manifest files in CI/CD to catch misconfigurations before deployment.
_ _Alternatives: kube-hunter, trivy_
- _…and 2 more in [`cheatsheets/containers-k8s.md`](cheatsheets/containers-k8s.md)_
### 🔧 Exploit Development
#### 🌐 Web applications
- 🟢 **[Metasploit Framework](https://github.com/rapid7/metasploit-framework)** ★★ ⭐38.3k · Ruby · BSD-3-Clause
Widely-used penetration testing framework with a large library of exploits, payloads, and auxiliary modules for network and web attacks. _Use when: When you've identified a known CVE on a service and want a reliable, tested exploit with post-exploitation modules; use msfvenom for payload generation outside the interactive console.
_ _Alternatives: sliver, cobalt-strike_
- 🟢 **[sqlmap](https://github.com/sqlmapproject/sqlmap)** ★★ ⭐37.5k · Python · GPL-2.0
Automated SQL injection detection and exploitation tool that fingerprints databases and extracts data across all major DBMS platforms. _Use when: When you have identified a potentially injectable parameter in a web application and need to confirm exploitability and extract data from the backend database.
_ _Alternatives: commix_
- 🟢 **[commix](https://github.com/commixproject/commix)** ★★ ⭐5.7k · Python · GPL-3.0
Automated command injection and exploitation tool for web applications with multiple injection technique support. _Use when: When you suspect a parameter is vulnerable to OS command injection; use commix to automatically detect and exploit the vulnerability across classic, time-based, and file-based techniques.
_ _Alternatives: sqlmap_
#### 🔌 APIs (REST, GraphQL, gRPC)
- 🟢 **[sqlmap](https://github.com/sqlmapproject/sqlmap)** ★★ ⭐37.5k · Python · GPL-2.0
Automated SQL injection detection and exploitation tool that fingerprints databases and extracts data across all major DBMS platforms. _Use when: When you have identified a potentially injectable parameter in a web application and need to confirm exploitability and extract data from the backend database.
_ _Alternatives: commix_
- 🟢 **[commix](https://github.com/commixproject/commix)** ★★ ⭐5.7k · Python · GPL-3.0
Automated command injection and exploitation tool for web applications with multiple injection technique support. _Use when: When you suspect a parameter is vulnerable to OS command injection; use commix to automatically detect and exploit the vulnerability across classic, time-based, and file-based techniques.
_ _Alternatives: sqlmap_
#### 🤖 Android
(showing top 3 of 6 — see [full cheatsheet](cheatsheets/mobile-android.md))
- 🟢 **[Ghidra](https://github.com/NationalSecurityAgency/ghidra)** ★★★ ⭐69.1k · Java · Apache-2.0
NSA-developed software reverse engineering framework with disassembler, decompiler, and scripting API supporting x86, ARM, MIPS, and many other architectures. _Use when: When reversing compiled binaries, firmware, or malware samples where source code is unavailable; use the decompiler for rapid code comprehension and Python/Java scripts for automated analysis across large sample sets.
_ _Alternatives: radare2_
- 🟢 **[Apktool](https://github.com/iBotPeaches/Apktool)** ★★ ⭐24.7k · Java · Apache-2.0
Reverse engineering tool for Android APK files that decodes resources and disassembles Dalvik bytecode to smali for analysis and modification. _Use when: When statically analysing an Android APK to inspect permissions, decode resources, read smali code, or modify and repackage an app for dynamic testing.
_ _Alternatives: mobsf, frida_
- 🟢 **[Radare2](https://github.com/radareorg/radare2)** ★★★ ⭐24k · C · LGPL-3.0
Portable reverse engineering framework with disassembler, debugger, binary analysis, and patching capabilities for dozens of CPU architectures and binary formats. _Use when: When performing low-level binary analysis, exploit development, or CTF reversing challenges that require fine-grained control over disassembly and memory; the r2pipe API enables scriptable analysis pipelines.
_ _Alternatives: ghidra_
- _…and 3 more in [`cheatsheets/mobile-android.md`](cheatsheets/mobile-android.md)_
#### 📱 iOS
- 🟢 **[Frida](https://github.com/frida/frida)** ★★★ ⭐20.8k · C · wxWindows
Dynamic instrumentation toolkit that injects JavaScript into native apps on Android, iOS, Windows, Linux, and macOS for runtime hooking and analysis. _Use when: When you need to hook API calls, bypass SSL pinning, trace function arguments, or patch runtime behavior in a mobile app without access to source code.
_ _Alternatives: objection, xposed_
- 🟢 **[r2frida](https://github.com/nowsecure/r2frida)** ★★★ ⭐1.4k · C · MIT
Radare2 plugin that integrates Frida's dynamic instrumentation into the r2 analysis workflow for mobile app RE. _Use when: When you need to combine static binary analysis with live dynamic instrumentation in a single tool during mobile app assessments — ideal for bypassing certificate pinning or hooking native functions.
_ _Alternatives: frida, radare2_
#### 🌐 Network (IP, TCP/UDP, services)
- 🟢 **[Ghidra](https://github.com/NationalSecurityAgency/ghidra)** ★★★ ⭐69.1k · Java · Apache-2.0
NSA-developed software reverse engineering framework with disassembler, decompiler, and scripting API supporting x86, ARM, MIPS, and many other architectures. _Use when: When reversing compiled binaries, firmware, or malware samples where source code is unavailable; use the decompiler for rapid code comprehension and Python/Java scripts for automated analysis across large sample sets.
_ _Alternatives: radare2_
- 🟢 **[Metasploit Framework](https://github.com/rapid7/metasploit-framework)** ★★ ⭐38.3k · Ruby · BSD-3-Clause
Widely-used penetration testing framework with a large library of exploits, payloads, and auxiliary modules for network and web attacks. _Use when: When you've identified a known CVE on a service and want a reliable, tested exploit with post-exploitation modules; use msfvenom for payload generation outside the interactive console.
_ _Alternatives: sliver, cobalt-strike_
- 🟢 **[Radare2](https://github.com/radareorg/radare2)** ★★★ ⭐24k · C · LGPL-3.0
Portable reverse engineering framework with disassembler, debugger, binary analysis, and patching capabilities for dozens of CPU architectures and binary formats. _Use when: When performing low-level binary analysis, exploit development, or CTF reversing challenges that require fine-grained control over disassembly and memory; the r2pipe API enables scriptable analysis pipelines.
_ _Alternatives: ghidra_
#### 🧠 AI / LLM systems
- 🔴 **[llm-attacks](https://github.com/llm-attacks/llm-attacks)** ★★★ ⭐4.7k · Python · MIT
Research framework implementing universal and transferable adversarial attacks (GCG suffix optimization) against aligned large language models to elicit harmful outputs. _Use when: When red-teaming LLM safety mechanisms by generating adversarial suffixes that transfer across models; use in an isolated research environment to evaluate model robustness to gradient-based jailbreak attacks.
_ _Alternatives: garak, pyrit_
#### ⛓️ Blockchain / Web3
- 🟢 **[Mythril](https://github.com/Consensys/mythril)** ★★★ ⭐4.2k · Python · MIT
Security analysis tool for EVM bytecode using symbolic execution, SMT solving, and taint analysis to detect smart contract vulnerabilities at the bytecode level. _Use when: When performing deep symbolic execution analysis on Solidity or EVM bytecode to uncover logic flaws that static analysis misses; slower than Slither but catches complex multi-transaction vulnerabilities.
_ _Alternatives: slither_
#### 🏭 ICS / SCADA
- 🔴 **[ISF (ICSSPLOIT)](https://github.com/dark-lbp/isf)** ★★★ ⭐1.1k · Python · BSD-2-Clause
ICS/SCADA exploitation framework modeled after Metasploit for testing industrial control systems. _Use when: When performing authorized ICS/OT security assessments and you need a structured framework for exploiting Modbus, DNP3, S7, and other industrial protocols — not for use on live production environments.
_
### 🕵️ OSINT
#### 🌐 Web applications
(showing top 3 of 6 — see [full cheatsheet](cheatsheets/web.md))
- 🟢 **[Sherlock](https://github.com/sherlock-project/sherlock)** ★ ⭐84.4k · Python · MIT
Hunts down social media accounts by username across 400+ social networks for OSINT profiling. _Use when: When building a person-of-interest profile and you need to discover all social accounts tied to a known username across major and niche platforms.
_
- 🟢 **[Maigret](https://github.com/soxoj/maigret)** ★ ⭐31.2k · Python · MIT
Username OSINT tool that searches 3000+ sites to build a profile of online presence from a single username. _Use when: When you have a target username and want to enumerate all platforms they are active on, generating a report of accounts and profile data for OSINT investigations or social engineering pre-work.
_ _Alternatives: sherlock_
- 🟢 **[SpiderFoot](https://github.com/smicallef/spiderfoot)** ★★ ⭐18k · Python · MIT
Automated OSINT collection framework that correlates data across 200+ modules covering IPs, domains, emails, and threat intel feeds. _Use when: When you need fully automated, deep passive reconnaissance with correlated results across dozens of data sources; use recon-ng when you prefer manual module-by-module control.
_ _Alternatives: recon-ng_
- _…and 3 more in [`cheatsheets/web.md`](cheatsheets/web.md)_
#### 🌐 Network (IP, TCP/UDP, services)
- 🟢 **[SpiderFoot](https://github.com/smicallef/spiderfoot)** ★★ ⭐18k · Python · MIT
Automated OSINT collection framework that correlates data across 200+ modules covering IPs, domains, emails, and threat intel feeds. _Use when: When you need fully automated, deep passive reconnaissance with correlated results across dozens of data sources; use recon-ng when you prefer manual module-by-module control.
_ _Alternatives: recon-ng_
- 🟢 **[theHarvester](https://github.com/laramies/theHarvester)** ★ ⭐16.4k · Python · GPL-2.0
OSINT tool that gathers emails, subdomains, IPs, and URLs from public search engines, PGP key servers, and Shodan. _Use when: During initial recon to harvest email addresses and subdomains from passive public sources without touching the target's infrastructure.
_ _Alternatives: recon-ng, spiderfoot_
- 🔴 **[recon-ng](https://github.com/lanmaster53/recon-ng)** ★★ ⭐5.7k · Python · GPL-3.0
Full-featured web reconnaissance framework with a Metasploit-like interface and modular marketplace of OSINT modules. _Use when: When you need a structured, repeatable OSINT workflow with database-backed results and API-driven modules; prefer SpiderFoot for fully automated passive collection.
_ _Alternatives: spiderfoot_
## Cross-cutting references
### Resources
### Wordlists
- 🟢 **[SecLists](https://github.com/danielmiessler/SecLists)** ⭐71.3k · Shell · MIT
Comprehensive collection of security-relevant wordlists for usernames, passwords, URLs, fuzzing payloads, and sensitive data patterns used across all phases of testing. _Use when: When you need curated wordlists for directory brute-forcing with ffuf or feroxbuster, credential spraying, or fuzzing payloads — the de-facto standard wordlist repository for most offensive engagements._ _Alternatives: fuzzdb, payloadsallthethings_
- 🔴 **[FuzzDB](https://github.com/fuzzdb-project/fuzzdb)** ⭐8.9k · Various · CC-BY-3.0
Attack pattern and primitive injection fault dictionary covering web vulnerabilities, authentication bypass, and OS command injection. _Use when: When you need comprehensive attack pattern wordlists for fuzzer payloads; use SecLists for broader content-discovery lists or FuzzDB specifically for injection and bypass patterns._ _Alternatives: seclists_
### Cheatsheets / Wikis
- 🟢 **[HackTricks](https://github.com/HackTricks-wiki/hacktricks)** ⭐11.5k · Markdown · CC-BY-NC-4.0
Comprehensive hacking methodology wiki covering pentesting techniques across web, network, AD, cloud, and mobile with step-by-step commands. _Use when: When you need structured methodology guidance or command references during any phase of an engagement; pairs with PayloadsAllTheThings for specific payload selection._ _Alternatives: payloadsallthethings_
## Awesome Killchain Score (AKS)
Every tool here gets an algorithmic quality score from 0–100, computed daily from observable signals: stars trajectory, release cadence, commit cadence, license clarity, archived status. Top scores and full breakdown are in [`scores.json`](scores.json).
**Tool maintainers — embed your AKS badge:**
[](https://github.com/Vyntral/awesome-killchain)
Replace `YOUR-SLUG` with your tool's slug. The badge auto-refreshes when our daily enrich job updates scores. Algorithm: [`scripts/lib/score.ts`](scripts/lib/score.ts).
## Playbooks
## License
- Content (text): [CC-BY-4.0](LICENSE-CONTENT)
- Code (scripts, site): [MIT](LICENSE-CODE)
## Maintainer
If `awesome-killchain` saves you time on an engagement, a ⭐ helps it reach more operators.