| AIL |
Threat Intelligence |
Framework for Analysis of Information Leaks |
Yes (AGPL-3.0) |
| Amazon S3 |
Storage |
Scalable, cloud object storage by Amazon |
False |
| Ansible |
Automation |
Ansible provides an agentless tool for general IT automation. It's not specifically security focused but it makes an easy automation language for interacting with systems in an automated way. The Ansible Automation Platform also makes it easy to hand playbooks over to analysts and restrict permissions and inputs. It also provides an API to kick off playbooks, which can be handy if you don't want to couple your automation implementation to a particular SOAR vendor. |
Yes (GPL-3.0) |
| Arkime |
Detection |
Arkime (formerly Moloch) is a large scale, open source, indexed packet capture and search tool. |
Yes (Apache 2.0) |
| Chainsaw |
Hunting / Forensics |
Chainsaw provides a powerful ‘first-response’ capability to quickly identify threats within Windows forensic artefacts such as Event Logs and MFTs. Chainsaw offers a generic and fast method of searching through event logs for keywords, and by identifying threats using built-in support for Sigma detection rules, and via custom Chainsaw detection rules. |
Yes (GPL-3.0) |
| Containers |
Packaging |
Portable, isolated environments for workloads |
True |
| Cortex |
Forensics automation |
Cortex tries to solve a common problem frequently encountered by SOCs, CSIRTs and security researchers in the course of threat intelligence, digital forensics and incident response: how to analyze observables they have collected, at scale, by querying a single tool instead of several? Cortex, an open source and free software, has been created by TheHive Project for this very purpose. Observables, such as IP and email addresses, URLs, domain names, files or hashes, can be analyzed one by one or in bulk mode using a Web interface. Analysts can also automate these operations thanks to the Cortex REST API. |
True |
| CyberChef |
Workflows |
CyberChef is a simple, intuitive web app for carrying out all manner of "cyber" operations within a web browser. These operations include simple encoding like XOR and Base64, more complex encryption like AES, DES and Blowfish, creating binary and hexdumps, compression and decompression of data, calculating hashes and checksums, IPv6 and X.509 parsing, changing character encodings, and much more. The tool is designed to enable both technical and non-technical analysts to manipulate data in complex ways without having to deal with complex tools or algorithms. It was conceived, designed, built and incrementally improved by an analyst in their 10% innovation time over several years. |
Yes (Apache-2.0) |
| Fleet |
Detection / Response |
Open source osquery manager. Deploying osquery with Fleet enables programmable live queries, streaming logs, and effective management of osquery across 100,000+ servers, containers, and laptops. It's especially useful for talking to multiple devices at the same time. (Useful during investigations)" |
Yes (LICENSE) |
| GRR Rapid Response |
Forensics automation |
GRR Rapid Response is an incident response framework focused on remote live forensics. It consists of a python client (agent) that is installed on target systems, and python server infrastructure that can manage and talk to clients. The goal of GRR is to support forensics and investigations in a fast, scalable manner to allow analysts to quickly triage attacks and perform analysis remotely. |
Yes (Apache-2.0) |
| IntelMQ |
Automation / workflows |
IntelMQ is a solution for IT security teams (CERTs & CSIRTs, SOCs, abuse departments, etc.) for collecting and processing security feeds (such as log files) using a message queuing protocol. ... Its main goal is to give to incident responders an easy way to collect & process threat intelligence thus improving the incident handling processes of CERTs. IntelMQ can be used for - automated incident handling - situational awareness - automated notifications - as data collector for other tools - etc. |
Yes (AGPL-3.0) |
| Iris |
Ticket System / Case Management System |
A collaborative platform aiming to help incident responders to share technical details during investigations. |
Yes (LGPL-3.0) |
| MISP |
Threat Intelligence |
MISP Threat Sharing (MISP) is an open source threat intelligence platform. The project develops utilities and documentation for more effective threat intelligence, by sharing indicators of compromise. |
Yes (AGPL-3.0) |
| n6 |
Automation / workflows |
The n6 platform has been created by CERT Polska as a system designed to collect, process and share information about network events and possible security incidents. During one year period there are milions of security incidents being processed from Poland as well as from other parts the world. N6 is fully automatic. Its goal is to be efficient, reliable and prompt to deliver large amount of information about security incidents to proper entities: network owners, administrators and operators. |
Yes (AGPL-3.0) |
| OpenCTI |
Threat Intelligence |
OpenCTI is an open source platform allowing organizations to manage their cyber threat intelligence knowledge and observables. It's based on Stix and can use connectors to import and export data. |
Yes (Apache-2.0) |
| OpenSearch |
SIEM |
OpenSearch is a fork of ElasticSearch. Elasticsearch is a search engine based on the Lucene library. It provides a distributed, multitenant-capable full-text search engine with an HTTP web interface and schema-free JSON documents. Elasticsearch is developed in Java and is dual-licensed under the source-available Server Side Public License and the Elastic license, while other parts fall under the proprietary (source-available) Elastic License. Official clients are available in Java, .NET (C#), PHP, Python, Ruby and many other languages. According to the DB-Engines ranking, Elasticsearch is the most popular enterprise search engine. |
Yes (Apache-2.0) |
| Shuffler |
Orchestration / full SOAR |
Shuffle started as a project in mid-2019 because of a few automation related problems that needed more attention in the CERT/SIRT community. Available automation solutions in the security industry are trying to do everything at once handle tickets, indicators, threat intel and much more in a single platform, while our goal is to build the best solution to fit all your existing tools following the Unix philosophy: Do One Thing and Do It Well |
Yes (AGPL-3.0) (SaaS installation available but at a cost) |
| Société Générale Fast Incident Response (FIR) |
Forensics automation/incident management |
FIR (Fast Incident Response) is an cybersecurity incident management platform designed with agility and speed in mind. It allows for easy creation, tracking, and reporting of cybersecurity incidents. |
Yes (GPLv3) |
| Suricata |
Detection |
Suricata is the leading independent open source threat detection engine. By combining intrusion detection (IDS), intrusion prevention (IPS), network security monitoring (NSM) and PCAP processing, Suricata can quickly identify, stop, and assess even the most sophisticated attacks. |
Yes (GPL-2.0) |
| TheHive5 |
Response / Case management |
A scalable and collaborative Security Incident Response Platform, tightly integrated with MISP (Malware Information Sharing Platform), designed to make life easier for SOCs, CSIRTs, CERTs and any information security practitioner dealing with security incidents that need to be investigated and acted upon swiftly. |
False |
| tines.io |
Orchestration and Automation |
|
Closed source |
| Turbinia |
Forensics automation |
Turbinia is an open-source framework for deploying, managing, and running distributed forensic workloads. |
Yes (Apache-2.0) |
| Velociraptor |
Forensics automation |
Velociraptor is a tool for collecting host based state information using The Velociraptor Query Language (VQL) queries. It is a unique, advanced open-source endpoint monitoring, digital forensic and cyber response platform. It was developed by Digital Forensic and Incident Response (DFIR) professionals who needed a powerful and efficient way to hunt for specific artifacts and monitor activities across fleets of endpoints. Velociraptor provides you with the ability to more effectively respond to a wide range of digital forensic and cyber incident response investigations and data breaches |
Yes (AGPL-3.0) |
| Wazuh |
Detection / Response |
Wazuh is a free and open source platform used for threat prevention, detection, and response. It is capable of protecting workloads across on-premises, virtualized, containerized, and cloud-based environments. Wazuh solution consists of an endpoint security agent, deployed to the monitored systems, and a management server, which collects and analyzes data gathered by the agents. Besides, Wazuh has been fully integrated with the Elastic Stack, providing a search engine and data visualization tool that allows users to navigate through their security alerts. |
Yes (GPL-2.0) |