Security Operations Tools
Security operations tools for SIEM, SOAR, threat hunting, incident response, and security operations center (SOC) management.
Browse 1,895 security operations tools
FEATURED
USE CASES
A network of physical and online cyber warfare ranges for training and testing
Review of various MFT parsers used in digital forensics for analyzing NTFS file systems.
A collection of AWS-native scripts and automation tools for DevSecOps, incident response, and security remediation in cloud environments.
A Python module for orchestrating remote forensic data acquisition and analysis from Linux instances using Amazon SSM.
A project for demonstrating AWS attack techniques with a focus on ethical hacking practices.
TrailBlazer analyzes AWS CloudTrail logging behavior by systematically testing API calls across services to determine what gets logged and how it appears in CloudTrail.
Margarita Shotgun is a Python tool that enables remote memory acquisition from target systems through command line interface, supporting Linux distributions and other operating systems via Docker containers.
A collection of detections for Panther SIEM with detailed setup instructions.
A Python-based red team toolkit that leverages AWS boto3 SDK to perform offensive operations including credential extraction and file exfiltration from EC2 instances.
A serverless SOAR framework for AWS GuardDuty that automatically executes configurable response actions based on security findings and threat severity.
A Python tool that analyzes AWS CloudTrail data to summarize IAM principal activities, API calls, regions, IP addresses, and user agents with configurable timeframes and visualization options.
An AWS incident response framework that uses Athena to analyze CloudTrail events and EventBridge for notifications to investigate API activity and detect security misconfigurations.
AWS IR is a Python command line utility for automated incident response and mitigation of instance and key compromises in Amazon Web Services environments.
Steampipe is a zero-ETL solution for getting data directly from APIs and services.
CloudFox is an open source command line tool that helps penetration testers and offensive security professionals identify exploitable attack paths and gain situational awareness in cloud infrastructure environments.
An open source cloud-native security data lake platform for AWS that normalizes security logs into structured data with Detection-as-Code capabilities and vendor-neutral storage using open standards.
A post-exploitation framework for attacking AWS infrastructure, enabling attacks on EC2 instances without SSH keypairs and extraction of AWS secrets and parameters.
CloudCopy implements a cloud version of the Shadow Copy attack to extract domain user hashes from AWS-hosted domain controllers by creating and mounting volume snapshots.
A proof of concept for using the SSM Agent in Fargate for incident response
A Python-based modular incident response tool for AWS environments that enables automated security actions across EC2, IAM, VPC, and other AWS resources.
A command-line tool for searching AWS CloudWatch logs using pattern matching with configurable parameters for log groups, time ranges, and regions.
A collection of setup scripts for various security research tools with installers for tools like afl, angr, barf, and more.
IMAP-Honey is a honeypot tool for IMAP and SMTP protocols with support for logging to console or syslog.
Security Operations Specializations
1895 tools across 9 specializations · 1138 free, 757 commercial
Cyber Range Training
Cyber Range Training platforms and simulation environments for hands-on cybersecurity training and incident response exercises.
Digital Forensics and Incident Response
Digital Forensics and Incident Response (DFIR) tools for digital forensic analysis, evidence collection, malware analysis, and cyber incident investigation.
Extended Detection and Response
Extended Detection and Response (XDR) platforms that integrate multiple security products for unified threat detection and response across endpoints, networks, and cloud.
Security Operations Tools FAQ
Common questions about Security Operations tools, selection guides, pricing, and comparisons.
SIEM (Security Information and Event Management) collects, correlates, and analyzes security logs from across your environment to detect threats. SOAR (Security Orchestration, Automation and Response) automates incident response workflows and playbooks. XDR (Extended Detection and Response) integrates detection across endpoints, network, cloud, and email in a unified platform. Many organizations use SIEM for compliance and broad visibility, XDR for detection, and SOAR for response automation.
It depends on your requirements. XDR provides superior detection by correlating telemetry across multiple security layers. However, SIEM is still needed if you have compliance requirements for long-term log retention, need to ingest logs from non-security sources (applications, databases), or want custom correlation rules. Many organizations are consolidating from SIEM to XDR for detection while keeping SIEM for compliance and log management.
MDR (Managed Detection and Response) provides 24/7 threat monitoring, detection, and response delivered as a managed service. Choose MDR if: your team is too small to staff a 24/7 SOC (typically requires 8-12 analysts), you lack threat hunting expertise, or you need rapid security operations maturity. Build in-house when you need full control over detection logic, have unique threat models, or have the budget for a dedicated security operations team.
DFIR (Digital Forensics and Incident Response) tools help investigate security incidents by collecting and analyzing evidence: disk images, memory dumps, network captures, and log artifacts. You need DFIR capabilities when responding to confirmed breaches, conducting malware analysis, supporting legal proceedings, or performing proactive threat hunting. Many organizations outsource DFIR to specialized incident response firms.
