Loading...
GEF (pronounced ʤɛf - 'Jeff') is a free tool. Security professionals most commonly compare it with . All 244 alternatives are matched by shared capabilities, tags, and NIST CSF 2.0 coverage.
A closer look at the 8 most relevant alternatives and competitors to GEF (pronounced ʤɛf - 'Jeff'), including their key features and shared capabilities.
Whole-system emulation environment for software dev, debugging, testing & security
PinCTF is a Python wrapper tool that uses Intel's Pin framework to instrument binaries and count instructions for reverse engineering analysis.
angr is a Python-based binary analysis framework that provides disassembly, symbolic execution, and program analysis capabilities for cross-platform binary examination.
PINCE is a front-end/reverse engineering tool for the GNU Project Debugger (GDB), focused on games, with CheatEngine-like value type support and memory searching capabilities.
Automated hardware reversing platform using robotics for embedded device analysis
AI agent platform for automating offensive security operations and evals.
AI-assisted vulnerability research and advanced offensive cyber tooling firm.
R&D firm providing cyber defense & operational tech for DoD and DHS.
Whole-system emulation environment for software dev, debugging, testing & security
PinCTF is a Python wrapper tool that uses Intel's Pin framework to instrument binaries and count instructions for reverse engineering analysis.
angr is a Python-based binary analysis framework that provides disassembly, symbolic execution, and program analysis capabilities for cross-platform binary examination.
PINCE is a front-end/reverse engineering tool for the GNU Project Debugger (GDB), focused on games, with CheatEngine-like value type support and memory searching capabilities.
Automated hardware reversing platform using robotics for embedded device analysis
AI agent platform for automating offensive security operations and evals.
AI-assisted vulnerability research and advanced offensive cyber tooling firm.
R&D firm providing cyber defense & operational tech for DoD and DHS.
AI agent for in-depth binary analysis and reverse engineering assistance.
MCP server enabling AI agents to autonomously run 150+ security tools
An open source machine code decompiler that converts binary executables into readable C source code across multiple architectures and file formats.
Fridump is an open source memory dumping tool that uses the Frida framework to extract accessible memory addresses from iOS, Android, and Windows applications for security testing and analysis.
A Java bytecode assembler and disassembler toolkit that converts classfiles to human-readable format and provides decompilation capabilities for reverse engineering Java applications.
A Go-based crash analysis tool that processes and reproduces crash files from fuzzing tools like AFL with multiple debugging engines and output formats.
Dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers.
A backend agnostic debugger frontend for debugging binaries without source code access.
A debugger tool for reverse engineers, crackers, and security analysts, with a user-friendly debugging UI and custom agent support.
JD-GUI is a graphical Java decompiler that reconstructs and displays source code from compiled ".class" files for reverse engineering and code analysis purposes.
steg86 is a steganographic tool that hides information within x86 and AMD64 binary executables without affecting their performance or file size.
Threat emulation tool for adversary simulations and red team operations
Private training course for IoT device pentesting and exploitation
DNS reconnaissance tool checking DNS records, subdomains, and third-party svcs
FourCore ATTACK is an adversary emulation platform to manage cyber risk with evidence
Post-exploitation threat emulation platform for red team operations.
Red team toolkit for EDR evasion, initial access, and post-exploitation.
Bundled offensive security suites combining pen testing, red teaming, and VM.
Offensive security firm offering AI pentesting, credential monitoring & compliance.
Boutique security firm offering red team, OSINT, and adversary simulation services.
A specification/framework for extending default C2 communication channels in Cobalt Strike
An open-source framework that enables building and deploying AI security tools
GraphSpy is a browser-based post-exploitation tool for Azure Active Directory and Office 365 environments that enables token management, reconnaissance, and interaction with Microsoft 365 services.
An Android port of the Radamsa fuzzing tool compiled with Android NDK to support Android ABIs for security testing on mobile platforms.
A covert channel technique that uses WebDAV protocol features to deliver malicious payloads and establish C2 communication while bypassing security controls.
LinksDumper extracts links and endpoints from HTTP responses to support web application security testing and reconnaissance activities.
A Linux command-line tool that allows you to kill in-progress TCP connections based on a filter expression, useful for libnids-based applications that require a full TCP 3-way handshake for TCB creation.
A Python script that converts shellcode into a PE32 or PE32+ file.
An AI-powered Google Dorking tool that helps create effective search queries to uncover sensitive information on the internet.
Semi-tethered jailbreak for iPhone 5s to iPhone X, running iOS 12.0 and up, using the 'checkm8' bootrom exploit.
Tcpreplay is a suite of Open Source utilities for editing and replaying captured network traffic.
LeakIX is a red-team search engine that indexes mis-configurations and vulnerabilities online.
PyBOF is a Python library that enables in-memory loading and execution of Beacon Object Files (BOFs) with support for argument passing and function targeting.
Parrot Security OS is a comprehensive, secure, and customizable operating system for cybersecurity professionals, offering over 600+ tools and utilities for red and blue team operations.
A collection of Python scripts for password spraying attacks against Lync/S4B & OWA, featuring Atomizer, Vaporizer, Aerosol, and Spindrift tools.
A command that builds and executes command lines from standard input, allowing for the execution of commands with multiple arguments.
Tool for enumerating proxy configurations and generating CobaltStrike-compatible shellcode.
SharpAppLocker is a C# tool that retrieves AppLocker application control policies from Windows systems, replicating the Get-AppLockerPolicy PowerShell cmdlet functionality.
SharpEDRChecker scans system components to detect security products and tools.
SharpShares efficiently enumerates and maps network shares and resolves names within a domain.
Kali Linux is a specialized Linux distribution for cybersecurity professionals, focusing on penetration testing and security auditing.
RedELK is a SIEM tool designed for red teams to monitor and receive alerts about blue team detection activities during penetration testing engagements.
An Azure Function that validates and relays Cobalt Strike beacon traffic based on Malleable C2 profile authentication.
Advanced command and control tool for red teaming and adversary simulation with extensive features and evasion capabilities.
A command line tool that generates randomized malleable C2 profiles for Cobalt Strike to vary command and control communication patterns.
C3 is a framework by WithSecureLabs for rapid prototyping of custom command and control channels that integrates with existing offensive security toolkits.
Chameleon aids in evading proxy categorization to bypass internet filters.
Charlotte is an undetected C++ shellcode launcher for executing shellcode with stealth.
CobaltBus integrates Cobalt Strike with Azure Service Bus to create covert C2 communication channels for red team operations.
Covenant is a collaborative .NET command and control framework designed for red team operations and offensive security engagements.
CrossC2 is a cross-platform payload generator that extends CobaltStrike's capabilities to Linux and macOS environments for red team operations.
Darkarmour is an open-source Windows antivirus evasion framework that enables security professionals to bypass antivirus detection through customizable obfuscation and anti-analysis techniques.
A managed code hooking template for .NET assemblies, enabling API hooking, code injection, and runtime manipulation.
Dnscan is a DNS reconnaissance tool that performs DNS scans, DNS cache snooping, and DNS amplification attack detection.
A reconnaissance tool that analyzes expired domains for categorization, reputation, and Archive.org history to identify candidates suitable for phishing and C2 operations.
A shellcode generator that creates position-independent code for loading and executing .NET Assemblies, PE files, and Windows payloads from memory.
EvilClippy is a cross-platform tool that creates malicious MS Office documents with hidden VBA macros and evasion techniques for penetration testing and red team operations.
A standalone man-in-the-middle attack framework used for phishing login credentials and bypassing 2-factor authentication.
A tool that generates .NET serialized gadgets for triggering assembly load and execution through BinaryFormatter deserialization in JavaScript, VBScript, and VBA scripts.
Havoc is a malleable post-exploitation command and control framework that provides a client-server architecture with payload generation, customizable C2 profiles, and team collaboration capabilities for red team operations.
A template-driven framework for creating custom evasion techniques to test Anti-Virus and EDR detection capabilities.
A tool for working with Direct System Calls in Cobalt Strike's Beacon Object Files (BOF) for offensive security purposes.
InvisibilityCloak is a proof-of-concept C# code obfuscation toolkit designed for red teaming and penetration testing to conceal post-exploitation tools from detection.
Ivy is a payload creation framework for executing arbitrary VBA source code directly in memory, utilizing programmatical access to load, decrypt, and execute shellcode.
A COM Command & Control framework that uses JScript to provide fileless remote access capabilities on Windows systems through a modular plugin architecture.
An OSINT tool that generates username lists for companies on LinkedIn for social engineering attacks or security testing purposes.
A LinkedIn reconnaissance tool for gathering information about companies and individuals on the platform.
Macro_Pack automates the generation and obfuscation of Office documents and scripts for penetration testing and security assessments.
A cross-platform HTTP/2 Command & Control framework written in Golang for post-exploitation activities and remote system management.
Modlishka is a reverse proxy tool for intercepting and manipulating HTTP traffic, ideal for penetration testers, security researchers, and developers to analyze and test web applications.
Mortar is an evasion technique to defeat and divert detection and prevention of security products, including AV, EDR, and XDR solutions.
MSBuildAPICaller is an offensive security tool that enables interaction with the MSBuild API to execute arbitrary scripts for red teaming and penetration testing purposes.
A macOS Initial Access Payload Generator for penetration testing and red teaming exercises.
A collaborative, multi-platform, red teaming framework for simulating attacks and testing defenses.
A lightweight Command and Control (C2) implant written in Nim that provides remote access capabilities for penetration testing and red team operations.
An open-source shellcode and PE packer for creating and managing portable executable files.
A proxy aware C2 framework for penetration testing, red teaming, post-exploitation, and lateral movement with modular format and highly configurable payloads.
Pupy is an open-source, cross-platform C2 framework that provides remote access and control capabilities for compromised systems across Windows, Linux, OSX, and Android platforms.
PwnAuth is an open-source tool for generating and managing authentication tokens across multiple protocols, designed for penetration testing and red team exercises.
Pwndrop is a self-deployable file hosting service for red teamers, allowing easy upload and sharing of payloads over HTTP and WebDAV.
RedGuard is a C2 front flow control tool that helps evade detection by security systems through traffic filtering and redirection capabilities.
A dynamic redirect rules generator that creates custom redirect configurations for penetration testing and security assessment scenarios.
RedWarden is a Cobalt Strike C2 reverse proxy that uses packet inspection and malleable profile correlation to evade detection by security controls during red team operations.
A C/C++ tool for remote process injection, supporting x64 and x86 operations, with system call macros generated by SysWhispers script.
A payload creation framework designed to bypass Endpoint Detection and Response (EDR) systems.
A post-exploitation framework designed to operate covertly on heavily monitored environments.
SharpC2 is a C#-based Command and Control framework that provides remote access capabilities for penetration testing and red team operations.
A comprehensive .NET post-exploitation library designed for advanced security testing.
Skyhook is an HTTP-based file transfer tool that uses obfuscation techniques to evade detection by Intrusion Detection Systems.
Adversary emulation framework for testing security measures in network environments.
SourcePoint generates customizable C2 profiles for Cobalt Strike servers to enhance evasion capabilities against security defenses.
TikiTorch is a process injection tool that executes code within the address space of other processes using various injection techniques.
A proof-of-concept tool that generates Excel BIFF8 files with embedded 4.0 macros programmatically without requiring Microsoft Excel installation.
Sysreptor provides a customizable security reporting solution for penetration testers and red teamers.
Simple C++ Encryption and Steganography tool for hiding files inside images using LSB encoding.
A hardware security validation toolkit for x86 platforms that provides bootable tools for checking platform configuration registers and managing SecureBoot keys.
Open source application for retrieving passwords stored on a local computer with support for various software and platforms.
Collection of Kubernetes manifests creating pods with elevated privileges for security testing.
Pack up to 3MB of data into a tweetable PNG polyglot file.
A command line steganography tool that uses LSB technique to hide files within images without visible alteration.
FOCA is a tool used to find metadata and hidden information in scanned documents, with capabilities to analyze various file types and extract EXIF information.
Ebowla is a tool for generating payloads in Python, GO, and PowerShell with support for Reflective DLLs.
Assembler/disassembler for the dex format used by Dalvik, Android's Java VM implementation.
A demonstration of a method to delete a locked executable or currently running file from disk.
Anti-forensics tool for Red Teamers to erase footprints and test incident response capabilities.
DET (extensible) Data Exfiltration Toolkit is a proof of concept tool for performing Data Exfiltration using multiple channels simultaneously.
PowerSploit is a PowerShell-based penetration testing framework containing modules for code execution, injection techniques, persistence, and various offensive security operations.
A collection of tips and tricks for container and container orchestration hacking and security testing.
Documentation of an AWS IAM privilege escalation technique that exploits the iam:CreatePolicyVersion permission to gain elevated access through policy manipulation.
PLCinject is a tool for injecting and patching blocks on PLCs with a call instruction.
Data exfiltration & infiltration tool using text-based steganography to evade security controls.
A Python framework for building custom Command and Control interfaces that implements Cobalt Strike's External C2 specification for data transfer between frameworks.
A tool for managing multiple reverse shell sessions/clients via terminal with a RESTful API.
A webshell manager via terminal for controlling web servers running PHP or MySQL.
A repository documenting AppLocker bypass techniques with verified methods, legacy DLL execution approaches, and a PowerShell module for identifying AppLocker weaknesses.
Tcpreplay is a network traffic editing and replay tool used for testing network devices and applications.
Kiterunner is a tool for lightning-fast traditional content discovery and bruteforcing API endpoints in modern applications.
Reformat and re-indent bookmarklets, ugly JavaScript, and unpack scripts with options available via UI.
A powerful and extensible framework for reconnaissance and attacking various networks and devices.
SILENTTRINITY is a Python-based, asynchronous C2 framework that uses .NET scripting languages for post-exploitation activities without relying on PowerShell.
A tool that generates pseudo-malicious files to trigger YARA rules.
A vulnerable web site in NodeJS for testing security source code analyzers.
A cross-platform post-exploitation HTTP/2 Command & Control framework designed specifically for testing and exploiting containerized environments including Docker and Kubernetes.
ISF (Industrial Exploitation Framework) - An exploitation framework for industrial systems with various ICS protocol clients and exploit modules.
KeeFarce extracts cleartext password database information from KeePass 2.x processes in memory using DLL injection and .NET runtime manipulation.
A collection of tools that execute programs directly in memory using various delivery methods including URL downloads and netcat connections.
A Linux process injection tool that uses ptrace() to inject assembly-based shellcode into running processes without NULL byte restrictions.
Aptoide is an alternative Android application marketplace that enables APK downloads and metadata retrieval for mobile security research and analysis.
A proof-of-concept executable injection tool that compiles and launches parasitic executables within target processes using standard or stealth injection techniques.
Offensive security tool for reconnaissance and information gathering with a wide range of features and future roadmap.
Fernflower is an analytical decompiler for Java with command-line options and support for external classes.
A powerful tool for extracting passwords and performing various Windows security operations.
A multi-threaded, feedback-driven evolutionary fuzzer that uses low-level process monitoring to discover security vulnerabilities in software applications.
A collection of security research tools from Google's Project Zero team for testing and analyzing iPhone messaging systems including SMS, iMessage, and IMAP protocols.
A tool to dump login passwords from Linux desktop users, leveraging cleartext credentials in memory.
ILSpy is the open-source .NET assembly browser and decompiler with various decompiler frontends and features.
A comprehensive repository of open-source security tools organized by attack phases for red team operations, adversary simulation, and threat hunting purposes.
High-performant, coroutines-driven, and fully customisable Low & Slow load generator for real-world pentesting with undetectability through Tor.
A Python utility that calculates RSA cryptographic parameters and generates OpenSSL-compatible private keys from prime numbers or modulus/exponent pairs.
A tool that simplifies the installation of tools and configuration for Kali Linux
A simple file format fuzzer for Android that can fuzz multiple readers at once
A JavaScript steganography module that hides encrypted secrets within text using invisible Unicode characters for covert communication across web platforms.
An API for constructing and injecting network packets with additional functionality.
nudge4j is a tool to control Java applications from the browser and experiment with live code.
A payload creation framework for generating and executing C# code payloads with anti-evasion capabilities for offensive security operations.
OneFuzz is a self-hosted Fuzzing-As-A-Service platform developed by Microsoft that enables continuous developer-driven security testing through automated fuzzing capabilities.
A powerful tool for hiding the true location of your Teamserver, evading detection from Incident Response, redirecting users, blocking specific IP addresses, and managing Malleable C2 traffic in Red Team engagements.
A PHP-based command and control framework that maintains persistent web server access through polymorphic backdoors and HTTP header communication tunneling.
A script to assist in creating templates for VirtualBox to enhance VM detection evasion.
Discontinued project for file-less persistence, attacks, and anti-forensic capabilities on Windows 7 32-bit systems.
OVAA is an intentionally vulnerable Android application that aggregates common platform security vulnerabilities for educational and security testing purposes.
DIVA Android is an intentionally vulnerable Android application designed to teach security professionals and developers about mobile application security flaws through hands-on learning.
A high-level C++ library for creating and decoding network packets with a Scapy-like interface.
A dynamic multi-cloud infrastructure framework that enables rapid deployment of disposable instances pre-loaded with security tools for distributed offensive and defensive security operations.
A repository containing material for Android greybox fuzzing with AFL++ Frida mode
Linux packet crafting tool for testing IDS/IPS and creating attack signatures.
A unified repository for different Metasploit Framework payloads.
A Python script that detects and removes Thinkst Canary Tokens from files using signature-based detection methods.
A Mac OS X code injection library that enables copying code into target processes and remotely executing it through new thread creation.
A library for integrating communication channels with the Cobalt Strike External C2 server.
MagSpoof is a hardware device that emulates magnetic stripe cards using electromagnetic fields for security research and educational purposes.
A proof-of-concept tool that demonstrates the Dirty COW kernel exploit (CVE-2016-5195) for privilege escalation within Docker containers, specifically targeting nginx images while providing mitigation guidance through AppArmor profiles.
SigThief extracts digital signatures from signed PE files and appends them to other files to create invalid signatures for testing Anti-Virus detection mechanisms.
A tool for interacting with Exchange servers remotely and exploiting client-side Outlook features.
A command-line tool that analyzes SPF and DMARC records to identify domains vulnerable to email spoofing attacks.
Online Telegram bot for collecting information on individuals from various websites.
A framework for creating XNU based rootkits for OS X and iOS security research
DOS attack by sending fake BPDUs to disrupt switches' STP engines.
An open-source penetration testing framework for social engineering with custom attack vectors.
InvalidSign is a security research tool that bypasses endpoint solutions by obtaining valid signed files with different hashes to evade signature-based detection mechanisms.
A collection of setup scripts for various security research tools with installers for tools like afl, angr, barf, and more.
CloudCopy implements a cloud version of the Shadow Copy attack to extract domain user hashes from AWS-hosted domain controllers by creating and mounting volume snapshots.
A post-exploitation framework for attacking AWS infrastructure, enabling attacks on EC2 instances without SSH keypairs and extraction of AWS secrets and parameters.
CloudFox is an open source command line tool that helps penetration testers and offensive security professionals identify exploitable attack paths and gain situational awareness in cloud infrastructure environments.
A Python-based red team toolkit that leverages AWS boto3 SDK to perform offensive operations including credential extraction and file exfiltration from EC2 instances.
A project for demonstrating AWS attack techniques with a focus on ethical hacking practices.
Bastille-Linux is a system hardening program that proactively configures the system for increased security and educates users about security settings.
Syntax highlighting for Smali (Dalvik) Assembly language in Vim.
iOS application for testing iOS penetration testing skills in a legal environment.
A workshop on hacking Bluetooth Smart locks, covering architecture, vulnerabilities, and exploitation techniques.
A featured networking utility for reading and writing data across network connections with advanced capabilities.
A VMware image for penetration testing purposes
UPX is a high-performance executable packer for various executable formats.
Alpha release of External C2 framework for Cobalt Strike with enhanced data channels.
Online Java decompiler tool with support for modern Java features.
A powerful interactive packet manipulation program and library for network exploration and security testing.
Firefox browser extension for displaying and editing HTTP headers.
Collection of Windows oneliners for executing arbitrary code and downloading remote payloads.
A tool that uses Apache mod_rewrite to redirect invalid URIs to a specified URL
Learn how to create new Malleable C2 profiles for Cobalt Strike to avoid detection and signatured toolset
Customize Empire's GET request URIs, user agent, and headers for evading detection and masquerading as other applications.
A tutorial on how to use Apache mod_rewrite to randomly serve payloads in phishing attacks
Tool for randomizing Cobalt Strike Malleable C2 profiles to evade static, signature-based detection controls.
A command line utility for managing volume shadow copies with capabilities for evasion, persistence, and file extraction.
A tool that exposes the functionality of the Volume Shadow Copy Service (VSS) for creation, enumeration, and manipulation of volume shadow copies, with features for persistence and evasion.
A subdomain enumeration tool for penetration testers and security researchers.
A command-line tool for capturing automated screenshots of websites and mobile applications with support for multiple browsers and device emulations.
A Go-based command-line tool that uses Chrome Headless to automatically capture screenshots of web pages for reconnaissance and analysis purposes.
A tool for collecting and analyzing screenshots from remote desktop protocols, web applications, and VNC connections.
An automated tool for identifying technologies used on websites with mass scanning capabilities, based on the Wappalyzer detection engine.
A Go-based web spider tool for automated crawling and data collection from web resources across multiple protocols and formats.
A next-generation crawling and spidering framework for extracting data from websites
A Python script that finds endpoints in JavaScript files to identify potential security vulnerabilities.
A golang utility to spider through a website searching for additional links.
Fuzzilli is a JavaScript engine fuzzer that helps identify vulnerabilities in JavaScript engines.
A collection of CLI tools and API utilities for searching and filtering GitHub repositories by various criteria including keywords, users, organizations, and repository attributes.
Yar is a reconnaissance tool for scanning organizations, users, and repositories to identify vulnerabilities and security risks during security assessments.
A format conversion tool for S3 buckets designed to assist bug bounty hunters and security testers in standardizing bucket data during reconnaissance activities.
A list of services and how to claim (sub)domains with dangling DNS records.
A comprehensive repository of red teaming resources including cheatsheets, detailed notes, automation scripts, and practice platforms covering multiple cybersecurity domains.
A C++ staged shellcode loader with evasion capabilities, compatible with Sliver and other shellcode sources, designed for offensive security testing.
Common questions security professionals ask when evaluating alternatives and competitors to GEF (pronounced ʤɛf - 'Jeff').
The most popular alternatives to GEF (pronounced ʤɛf - 'Jeff') include Nightwing DejaVM, PinCTF, angr, PINCE, and Red Balloon Security RASPUTIN. These Offensive Security tools offer similar capabilities and are frequently compared by security professionals evaluating their options.
