Best SecLists Alternatives & Competitors in 2026

SprayingToolkit

A collection of Python scripts for password spraying attacks against Lync/S4B & OWA, featuring Atomizer, Vaporizer, Aerosol, and Spindrift tools.

Weakpass

A comprehensive collection of wordlists for bruteforcing and password cracking, covering various hashing algorithms and sizes.

o365-attack-toolkit

A toolkit to attack Office365, including tools for password spraying, password cracking, token manipulation, and exploiting vulnerabilities in Office365 APIs and services.

Offensive Docker

An image with commonly used tools for creating a pentest environment easily and quickly, with detailed instructions for launching in a VPS.

IntruderPayloads

A collection of payloads and methodologies for web pentesting.

ffufai

An AI-powered wrapper for ffuf that automatically suggests relevant file extensions for web fuzzing based on target URL analysis and response headers.

FYEO Custom Fuzz Testing

Custom blockchain fuzz testing service with bespoke harnesses & CI integration.

StealthNet AI

AI agent fleet for autonomous pentesting across external, API, web & vishing surfaces.

Webray RayBox

Automated penetration testing appliance covering recon-to-exploitation attack chain.

BloodHound

BloodHound is a Javascript web application that uses graph theory to analyze Active Directory and Azure environments, revealing hidden relationships and potential attack paths through visual mapping.

hakrawler

A fast web crawler for discovering endpoints and assets within web applications during security reconnaissance.

ParamSpider

A Python tool that mines URLs from web archives to assist security researchers in discovering potential attack surfaces for bug hunting and vulnerability assessment.

x8

x8 is a hidden parameters discovery suite that automatically identifies undocumented parameters in web applications and APIs for security testing purposes.

thc-hydra

A login cracker that can be used to crack many types of authentication protocols.

Pentesting Payloads

A web-based payload repository that generates ready-to-use exploits for pentesting

Android port of Radamsa

An Android port of the Radamsa fuzzing tool compiled with Android NDK to support Android ABIs for security testing on mobile platforms.

Habu Hacking Toolkit

A Python-based network hacking toolkit that implements various attack and reconnaissance techniques for educational purposes and network security learning.

Google Search Operators: The Complete List (44 Advanced Operators)

A reference guide listing 44 advanced Google search operators for enhanced search filtering and precision in information gathering activities.

xsshunter_client

A correlated injection proxy tool that integrates with XSS Hunter for automated cross-site scripting vulnerability testing and payload tracking.

Allseek

Open-source autonomous penetration testing platform.

oclhashcat

Hashcat is a fast and advanced password recovery utility that supports various attack modes and hashing algorithms, and is open-source and community-driven.

aircrack-ng

A suite of tools for Wi-Fi network security assessment and penetration testing.

Buster

Advanced email reconnaissance tool leveraging public data.

o365recon

A reconnaissance tool that retrieves information from Office 365 and Azure Active Directory using a valid credential.

Active Directory Control Paths

A tool for analyzing and visualizing control relationships and privilege escalation paths within Active Directory environments using graph-based representations.

LaZagne Project

Open source application for retrieving passwords stored on a local computer with support for various software and platforms.

Pwntools

Pwntools is a Python CTF framework and exploit development library that provides tools for rapid prototyping and development of exploits and CTF challenge solutions.

Legion

An open source network penetration testing framework with automatic recon and scanning capabilities.

Git Scanner Framework

A bash-based framework for discovering and extracting exposed .git repositories from web servers during penetration testing and bug bounty activities.

Raccoon

Offensive security tool for reconnaissance and information gathering with a wide range of features and future roadmap.

FuzzDB

FuzzDB is an open-source dictionary of attack patterns and predictable resource locations for dynamic application security testing and vulnerability discovery.

libformatstr.py

A Python library that simplifies format string vulnerability exploitation by providing tools for payload generation, memory manipulation, and automated parameter detection.

Boofuzz

Boofuzz is a network protocol fuzzing tool that aims to fuzz everything

WSSiP

A WebSocket Manipulation Proxy with a user interface to capture, intercept, and send custom messages for WebSocket and Socket.IO communications.

BurpSmartBuster

A Burp Suite plugin that performs intelligent content discovery by analyzing current requests to identify directories, files, and variations based on the application's structure.

Android greybox fuzzing with AFL++ Frida mode

A repository containing material for Android greybox fuzzing with AFL++ Frida mode

Metasploit Payloads

A unified repository for different Metasploit Framework payloads.

Payloads All The Things

A comprehensive repository of payloads and bypass techniques for web application security testing and penetration testing across multiple platforms and attack vectors.

Nimbostratus

A proof-of-concept toolkit for fingerprinting and exploiting Amazon Web Services cloud infrastructures using the boto library.

Enumerate IAM Permissions

A security assessment tool that identifies AWS IAM permissions by systematically testing API calls to determine the actual scope of access granted to specific credentials.

Ophcrack

Ophcrack is a free Windows password cracker based on rainbow tables with various features for password recovery.

Domain

Setup script for Regon-ng

screenshoteer

A command-line tool for capturing automated screenshots of websites and mobile applications with support for multiple browsers and device emulations.

gowitness

A Go-based command-line tool that uses Chrome Headless to automatically capture screenshots of web pages for reconnaissance and analysis purposes.

Gospider

A Go-based web spider tool for automated crawling and data collection from web resources across multiple protocols and formats.

GoLinkFinder

A fast and minimal JS endpoint extractor

parameth

A brute force parameter discovery tool for identifying hidden GET and POST parameters in web applications during security assessments.

ffuf

Fast web fuzzer written in Go