Network security and open source have an inseparable relationship. In addition to the large amount of open source code used in commercial security products, the network security industry has also shared and developed a large number of open source security frameworks, tools, methods, models, and even intelligence. Open source security projects are playing an increasingly important role in promoting the innovation and standardization of network security technology.
Below, we have compiled 20 open source security projects on GitHub, covering various fields from vulnerability scanning and network monitoring to encryption and incident response, to help individuals and businesses better protect their digital assets.
ATT&CK Navigator
ATT&CK Navigator is a navigation and annotation tool for ATT&CK matrices, similar to Excel. It provides a visual way to defend coverage, as well as a method for planning and tracking red/blue team activities and techniques. It also supports user operations on matrix cells, such as adding comments or color coding.
The main function of ATT&CK Navigator is to create custom layers, providing a personalized view of the ATT&CK knowledge base. Users can create layers interactively or programmatically, and then visualize them using the navigator.
Address:
Cryptomator
Cryptomator is an open source cross-platform tool that provides client-side encryption for files stored in the cloud.
Unlike encryption services provided by many cloud providers (which usually only encrypt data during transmission or retain the decryption key itself), Cryptomator ensures that only the user has the key to their data. This approach minimizes the risk of key theft, duplication, or abuse.
Cryptomator also supports users accessing their files from any device.
Address:
Cutter
Cutter is a free and open source reverse engineering platform that uses Rizin as its core engine. This allows users to access numerous features through a graphical user interface (GUI) or an integrated terminal.
Cutter provides a wide range of widgets and features to enhance the comfort of the reverse engineering process. Its version is fully integrated with the native Ghidra decompiler, eliminating the need for Java skills.
Address:
Dismap
Dismap is an asset discovery and identification tool that supports protocols such as Web, TCP, and UDP, and can detect various types of assets, suitable for both internal and external networks. Dismap can assist red team members in identifying potential risk assets and support blue team members in detecting suspicious vulnerable assets.
Dismap's fingerprint rule library includes TCP, UDP, and TLS protocol fingerprints, as well as over 4500 web fingerprint rules. These rules help identify elements such as website icons, body, title, and other related components.
Address:
Faraday
Faraday is an open source vulnerability management platform that helps security professionals focus on finding vulnerabilities while simplifying the organization of their work processes.
One of Faraday's main features is the ability to aggregate and normalize the data loaded into it. This allows managers and analysts to explore the data through various visualizations, helping to better understand vulnerabilities and facilitate the decision-making process.
Address:
Hayabusa
Hayabusa is a Windows event log fast forensics timeline generator and threat hunting tool. It is implemented in the Rust programming language and combines multithreading to optimize its speed. The tool includes the functionality to convert Sigma rules to Hayabusa rule format.
Detection rules compatible with Hayabusa are written in YAML and can be easily customized and extended. Hayabusa can be used in various ways, including real-time analysis of individual systems, offline analysis by collecting logs from single or multiple systems, or in combination with Velociraptor for enterprise-wide threat hunting and incident response.
The information output by Hayabusa is integrated into a CSV timeline for easy analysis in popular tools such as LibreOffice, Timeline Explorer, Elastic Stack, and Timesketch.
Address:
ImHex
ImHex is a hex editor: a tool for displaying, decoding, and analyzing binary data to reverse engineer its format, extract information, or patch it.
ImHex provides many advanced features, such as fully customizable binary templates and pattern language, structures decoding and highlighting in data, graph-based data processors, preprocessing of values before displaying them, disassembler, diff support, bookmarks, and more. ImHex is open source under the GPLv2 license.
Address:
Kubescape
Kubescape is an open source Kubernetes security platform for IDEs, CI/CD pipelines, and clusters. It provides functionalities such as risk analysis, security assessment, compliance checks, and misconfiguration detection.
Kubescape scans various components, including clusters, YAML files, and Helm charts. It leverages multiple frameworks such as NSA-CISA, MITRE ATT&CK, and CIS benchmarks to identify misconfigurations.
Address:
Matano
Matano is an open source cloud-native security lake platform that replaces SIEM (Security Information and Event Management). It enables large-scale PB-level threat hunting, detection, response, and network security analysis on the AWS platform.
With Matano, users can collect data using ingestion methods based on S3 (Simple Storage Service) or SQS (Simple Queue Service). It comes with pre-configured sources such as CloudTrail, Zeek, and Okta, and automatically retrieves log data from all SaaS sources.
Address:
Malwoverview
Malwoverview is a popular threat hunting tool used for initial and rapid assessment of malware samples, URLs, IP addresses, domains, malware families, IOCs, and hashes.
It provides the functionality to generate dynamic and static behavioral reports and allows users to submit and download samples from various endpoints. Malwoverview can also act as a client for existing sandboxes, enabling effective analysis of potential threats.
Address:
Metasploit Framework
Metasploit Framework is a modular penetration testing platform based on Ruby. It allows users to write, test, and execute exploit code.
It includes a set of tools for testing security vulnerabilities, network enumeration, exploit execution, and evasion detection.
Metasploit Framework is one of the most popular offensive security toolkits today, providing a complete environment for penetration testing and exploit development.
Address:
MISP
MISP is an open source threat intelligence platform solution for collecting, storing, distributing, and sharing network security indicators and threats related to network security events and malware analysis. It is designed specifically for event analysts, security and ICT professionals, or malware analysts to support their day-to-day operations and effectively share structured information.
The main goal of MISP is to facilitate structured information sharing within and outside the security community. It offers various functionalities to exchange and leverage such information through network intrusion detection systems (NIDS), log-based intrusion detection systems (LIDS), as well as log analysis tools and SIEM systems.
Address:
Nidhogg
Nidhogg is a rootkit designed for red teams, integrating multiple functionalities and being user-friendly, easily integrated into red team C2 frameworks with just one header file.
Nidhogg is compatible with x64 versions of Windows 10 and Windows 11. The repository includes a kernel driver and a C++ header file for communication purposes.
Address:
RedEye
RedEye is an open source analysis tool developed by CISA and Pacific Northwest National Laboratory. Its purpose is to support red team analysis and reporting of command and control activities. It helps operators assess mitigation strategies, visualize complex data, and make informed decisions based on red team assessments.
The tool is designed to parse logs, particularly those generated by Cobalt Strike, and present the data in a user-friendly format that is easy to understand. Users can tag activities displayed in the tool and add comments to enhance collaboration and analysis. RedEye also offers a presentation mode, allowing operators to showcase their findings and workflows to stakeholders.
Address:
SpiderFoot
SpiderFoot is an open source intelligence (OSINT) automation tool. It integrates with various data sources and employs multiple data analysis techniques to facilitate navigation of collected information.
SpiderFoot includes an embedded web server that provides a user-friendly web-based interface, although users can also choose to operate it entirely through the command line. The tool is coded in Python 3 and released under the MIT license.
Address:
System Informer
System Informer is a free multipurpose tool that can monitor system resources, debug software, and detect malware.
It provides the following features:
- Overview of running processes and resource usage
- Detailed system information and charts
- View and edit services
- Other software debugging and analysis features
Address:
Tink
Tink is an open source cryptographic library developed by Google cryptographers and security engineers. It provides a secure and user-friendly API that minimizes common errors through user-centered design, rigorous implementation and code review, and thorough testing.
Tink is specifically designed to help users without a background in cryptography perform encryption tasks securely and has been deployed in numerous Google products and systems.
Address:
Vuls
Vuls is a vulnerability scanner designed for Linux, FreeBSD, containers, WordPress, programming language libraries, and network devices.
Vuls is an agentless tool with the following main functionalities:
- Identifying system vulnerabilities
- Providing information about affected servers
- Automatic vulnerability detection
- Reporting vulnerabilities on a regular basis using methods such as CRON
Address:
Wazuh
Wazuh is a free and open source platform that provides threat prevention, detection, and response capabilities to protect workloads in various environments, including on-premises, virtualized, containerized, and cloud-based setups.
Wazuh has two main components: the endpoint security agent and the management server. The endpoint security agent is installed on the systems being monitored and is responsible for collecting security-related data. The management server receives the data collected by the agents and performs analysis on it.
Wazuh is fully integrated with the Elastic Stack, providing a search engine and data visualization tools. This integration allows users to browse their security alerts and gain insights from the collected data.
Address: https://github.com/wazuh/wazuh
x64dbg
x64dbg is an open source binary debugger designed for the Windows operating system. It focuses on analyzing malware or reverse engineering executable files when source code is not available.
The main features of x64dbg include:
- Customizability: Users can write plugins in C++, customize colors, and adjust preferences according to their needs.
- x64/x32 support: It can handle both x64 and x32 applications simultaneously, providing a unified debugging interface.
- Built on open source libraries: x64dbg uses Qt, TitanEngine, Zydis, Yara, Scylla, Jansson, lz4, XEDParse, asmjit, and snowman.
- Developer-friendly: The software is developed using C++ and Qt, making it easy to add new features.
- Scriptability: x64dbg has an integrated and debuggable ASM-like scripting language.
- Community-driven: Many features of x64dbg are conceived or implemented by the reverse engineering community.
- Extensibility: Users can create plugins to add custom script commands or integrate external tools.
Address: https://github.com/x64dbg/x64dbg