Incident Response
Explore 224 curated tools and resources
PINNED
InfoSecHired
An AI-powered career platform that automates the creation of cybersecurity job application materials and provides company-specific insights for job seekers.
Mandos Brief Newsletter
A weekly newsletter providing cybersecurity leadership insights, industry updates, and strategic guidance for security professionals advancing to management positions.
Checkmarx SCA
A software composition analysis tool that identifies vulnerabilities, malicious code, and license risks in open source dependencies throughout the software development lifecycle.
Check Point CloudGuard WAF
A cloud-native web application and API security solution that uses contextual AI to protect against known and zero-day threats without signature-based detection.
Orca Security
A cloud-native application protection platform that provides agentless security monitoring, vulnerability management, and compliance capabilities across multi-cloud environments.
DryRun
A GitHub application that performs automated security code reviews by analyzing contextual security aspects of code changes during pull requests.
Wiz
Wiz Cloud Security Platform is a cloud-native security platform that enables security, dev, and devops to work together in a self-service model, detecting and preventing cloud security threats in real-time.
LATEST ADDITIONS
A platform that maps enterprise attack surfaces by consolidating asset inventory, prioritizing vulnerabilities based on exposure, and providing contextual visualization of security risks.
An AI-powered SOC automation platform that performs autonomous alert triage, investigation, and incident response while augmenting human analyst capabilities.
An AI-powered security operations platform that automates alert investigation, triage, and response workflows for SOC analysts.
Application monitoring and security platform that provides runtime visibility, threat detection, and automated response capabilities for application-layer security
CBRX is a cloud-based platform that automates incident analysis and reporting for cybersecurity teams.
The Ransomware Tool Matrix is a repository that lists and categorizes tools used by ransomware gangs, aiding in threat hunting, incident response, and adversary emulation.
Arkime is an open-source network capture and analysis tool that provides comprehensive network visibility, facilitating swift identification and resolution of security and network issues.
TheHive is a case management platform for security operations teams that facilitates incident response, threat analysis, and team collaboration.
Cyera is a data security platform that discovers, classifies, and secures sensitive data across various environments, offering features such as DSPM, identity data access, and data privacy compliance.
Dropzone AI is an autonomous AI agent for SOCs that performs end-to-end investigations of security alerts, integrating with existing cybersecurity tools and data sources.
LogRhythm SIEM is a comprehensive security information and event management platform that collects, analyzes, and responds to security events across an organization's IT infrastructure.
Exabeam Security Operations Platform is a cloud-native security platform that applies AI and automation to security operations workflows for threat detection, investigation, and response.
Akamai Hunt is a managed threat hunting service that detects and remediates evasive security risks in network environments using data analysis, AI, and expert investigation.
ISO2HANDLE is a powerful software that provides a total solution for Q&R professionals, trusted by over 50,000 users and 750+ organizations worldwide.
CrowdStrike Falcon Insight XDR is an AI-powered endpoint detection and response solution that provides comprehensive protection, visibility, and automated response capabilities.
A cloud-native SIEM platform that provides security analytics, intuitive workflow, and simplified incident response to help security teams defend against cyber threats.
SentinelOne Purple AI is an AI-powered security analyst solution that simplifies threat hunting and investigations, empowers analysts, accelerates security operations, and safeguards data.
Infinity Platform / Infinity AI is an AI-powered threat intelligence and generative AI service that combines AI-powered threat intelligence with generative AI capabilities for comprehensive threat prevention, automated threat response, and efficient security administration.
Darktrace is a cyber security solution that uses AI to detect and prevent cyber attacks in real-time.
A penetration testing framework for identifying and exploiting vulnerabilities.
Provides advanced external threat intelligence to help organizations proactively identify and mitigate potential security threats.
A comprehensive Linux log analysis tool that streamlines the investigation of security incidents by extracting and organizing critical details from supported log files.
Interactive malware hunting service with live access to the heart of an incident.
A cybersecurity blog from Microsoft, featuring articles and guides on various security topics, including AI, threat intelligence, cloud security, and incident response.
Powerfully simple endpoint security solution that takes down threats without interrupting business.
A project that uses Athena and EventBridge to investigate API activity and notify of actions for incident response and misconfiguration detection.
An active and aggressive honeypot tool for network security.
An open-source security tool for AWS, Azure, Google Cloud, and Kubernetes security assessments and audits.
An open-source, drag-and-drop security workflow builder with integrated case management for automating security workflows and tackling alert fatigue.
RegRippy is a modern Python 3 alternative to RegRipper for extracting data from Windows registry hives.
mac_apt is a versatile DFIR tool for processing Mac and iOS images, offering extensive artifact extraction capabilities and cross-platform support.
Belkasoft offers cybersecurity solutions, training, and tools for businesses, law enforcement, and academia.
An extensible and open-source system for running, monitoring, and managing honeypots with advanced features.
A comprehensive incident response tool for Windows computers, providing advanced memory forensics and access to locked systems.
A free and open-source OSINT framework for gathering and analyzing data from various sources
Incident response framework focused on remote live forensics
A toolkit that transforms PHP applications into web-based high-interaction Honeypots for monitoring and analyzing attacks.
A detection-as-code platform for streamlining cloud security operations and responding to security incidents.
A foundational guide for using deception against computer network adversaries using honeypots to detect adversaries before they accomplish their goals.
A repository to aid Windows threat hunters in looking for common artifacts.
Facilitating exchange of information and knowledge to collectively protect against cyberattacks.
A comprehensive guide to digital forensics and incident response, covering incident response frameworks, digital forensic techniques, and threat intelligence.
Intezer is a cloud-based malware analysis platform that detects and classifies malware using genetic code analysis.
A framework/scripting tool to standardize and simplify the process of scripting favorite Live Acquisition utilities for Incident Responders.
A panic button app for triggering a ripple effect across apps responding to panic events
A comprehensive guide to understanding and responding to modern ransomware attacks, covering incident response, cyber threat intelligence, and forensic analysis.
A honeypot designed to detect and analyze malicious activities in instant messaging platforms.
A comprehensive incident response and threat hunting tool for Google Cloud Platform, providing logs and forensic data for effective incident response and threat hunting.
Automate security incident handling and facilitate real-time activities of incident handlers.
A Splunk app mapped to MITRE ATT&CK to guide threat hunts.
Threat intelligence and digital risk protection platform
A collection of incident response methodologies for various security incidents, providing easy-to-use operational best practices.
IntelMQ is a solution for IT security teams for collecting and processing security feeds using a message queuing protocol, with a focus on incident handling automation and threat intelligence processing.
OpenIOC editor for building and manipulating threat intelligence data with support for various systems.
HoneyDB is a honeypot-based threat intelligence platform that provides real-time insights into attacker behavior and malicious activity on networks.
A collection of free shareable log samples from various systems with evidence of compromise and malicious activity, maintained by Dr. Anton Chuvakin.
Collection of malware persistence information and techniques
A documentation template library for implementing industrial information security management systems.
Dissect is a digital forensics & incident response framework that simplifies the analysis of forensic artefacts from various disk and file formats.
A collection of YARA rules for research and hunting purposes.
A report on detecting lateral movement through tracking event logs, updated to include analysis of various tools and commands used by attackers.
Tool for visualizing correspondences between YARA ruleset and samples
Cortex XSOAR is a comprehensive SOAR platform that automates and standardizes security processes for faster response times and increased team productivity.
A Linux distribution designed for threat emulation and threat hunting, integrating attacker and defender tools for identifying threats in your environment.
A web collaborative platform for incident responders to share technical details during investigations, shipped in Docker containers for easy installation and upgrades.
An intrusion prevention system for SSH that blocks IP addresses after a set number of consecutive failed login attempts.
An informational repo about hunting for adversaries in your IT environment.
Free tools for the CrowdStrike customer community to support their use of the Falcon platform.
Collection of scripts and resources for DevSecOps, Security Automation and Automated Incident Response Remediation.
SwishDbgExt is a Microsoft WinDbg debugging extension that enhances debugging capabilities for kernel developers, troubleshooters, and security experts.
Automated collection tool for incident response triage in Windows systems.
Utilizing SIEM, SOAR, and EDR technologies to enhance security operations with a focus on reducing incident response time.
A digital investigation platform for parsing, searching, and visualizing evidences with advanced analytics capabilities.
A standardized framework for describing and classifying cybersecurity incidents
Developing APIs to access memory on industrial control system devices.
A modular, menu-driven tool for building repeatable, time-delayed, distributed security events.
FortiEDR is an automated endpoint security solution that integrates with the Fortinet Security Fabric and third-party solutions to reduce MTTR and provide real-time breach detection and response.
A serverless, real-time, and retroactive malware detection tool that scans files with YARA rules and alerts incident response teams.
Curated datasets for developing and testing detections in SIEM installations.
A library and tools to access and manipulate VMware Virtual Disk (VMDK) files.
A comprehensive guide for computer security incident handling, providing guidelines for establishing incident response capabilities and handling incidents efficiently and effectively.
Comprehensive endpoint protection platform providing unified visibility and security for cloud workloads, endpoints, and containers.
Review of various MFT parsers used in digital forensics for analyzing NTFS file systems.
A system for collecting, managing, and distributing security information on a large scale, developed by CERT Polska.
A powerful tool for analyzing and visualizing system activity timelines.
Daily feed of bad IPs with blacklist hit scores for cybersecurity professionals to stay informed about malicious IP addresses.
Highlighter is a FireEye Market app that integrates with FireEye products to provide enhanced cybersecurity capabilities.
A framework for improving detection strategies and alert efficacy.
Signature-based YARA rules for detecting and preventing threats within Linux, Windows, and macOS systems.
Catalyst is a SOAR system that automates alert handling and incident response processes, adapting to your workflows and being open source.
Comprehensive digital forensics and incident response platform for law enforcement, corporate, and academic institutions.
Incident response and case management solution for efficient incident response and management.
Repository of scripts, signatures, and IOCs related to various malware analysis topics.
A robust and flexible hunt and incident response tool for investigating AzureAD, Azure, and M365 environments.
Web-based tool for incident response with easy local installation using Docker.
A Security Orchestration, Automation and Response (SOAR) platform for incident response and threat hunting.
Request Tracker for Incident Response (RTIR) is a tool for incident response teams to manage incident reports, correlate data, and facilitate communication.
An open source honeypot for NoSQL databases with support for Redis and additional features for detecting attackers and logging attack incidents.
A simple maturity model for enterprise detection and response
An open-source SOAR tool for automating threat and incident response workflows using CACAO security playbooks.
Dataplane.org is a nonprofit organization providing free data, tools, and analysis to increase awareness of Internet trends, anomalies, threats, and misconfigurations.
A Forensic Framework for Skype with various investigative options.
A PowerShell-based incident response and live forensic data acquisition tool for Windows hosts.
A daily updated summary of security advisories from various sources
A set of YARA rules for identifying files containing sensitive information
A comprehensive guide to memory forensics, covering tools, techniques, and procedures for analyzing volatile memory.
A comprehensive list of IP addresses for cybersecurity purposes, including threat intelligence, incident response, and security research.
A honeypot agent for running honeypots with service and data at threatwar.com.
Unified defense platform providing endpoint protection, extended detection and response, threat hunting, and digital forensics and incident response.
A cybersecurity concept categorizing indicators of compromise based on their level of difficulty for threat actors to change.
Collection of YARA signatures from recent malware research.
A collection of PowerShell modules for artifact gathering and reconnaissance of Windows-based endpoints.
A honeytoken-based tripwire for Microsoft's Active Directory to detect privilege escalation attempts
A tool with advanced filtering capabilities for analyzing events based on time, path, weekday, and date.
Create checkpoint snapshots of the state of running pods for later off-line analysis.
DFIRTrack is an open source web application focused on incident response for handling major incidents with many affected systems, tracking system status, tasks, and artifacts.
A collection of companies that disclose adversary TTPs after being breached, useful for analysis of intrusions.
Real-time, container-based file scanning system for threat hunting and incident response.
Hoarder is a tool to collect and parse windows artifacts.
Blue-team capture the flag competition for improving cybersecurity skills.
CimSweep is a suite of CIM/WMI-based tools for incident response and hunting operations on Windows systems without the need to deploy an agent.
In-depth threat intelligence reports and services providing insights into real-world intrusions, malware analysis, and threat briefs.
Endpoint security platform using Moving Target Defense to prevent cyber attacks and provide adaptive exposure management and threat prevention.
A collection of tools for forensics teams to collect evidence from cloud platforms
A low-interaction honeypot for detecting and analyzing potential attacks on Android devices via ADB over TCP/IP
INE Security offers a range of cybersecurity certifications, including penetration testing, mobile and web application security, and incident response.
Dispatch helps manage security incidents by integrating with existing tools and automating incident response tasks.
Repository of APT-related documents and notes sorted by year.
Anti-forensics tool for Red Teamers to erase footprints and test incident response capabilities.
Customizable live OS constructor tool for remote forensics and incident response.
A comprehensive Windows command-line reference guide for security professionals, system administrators, and incident responders.
Freely available network IOCs for monitoring and incident response
A comprehensive guide to incident response, providing effective techniques for responding to advanced attacks against local and remote network resources.
Cortex XDR is a comprehensive endpoint security solution that blocks advanced attacks with behavioral threat protection, AI, and cloud-based analysis, and provides complete endpoint security and lightning-fast investigation and response.
A System for Abuse- and Incident Handling with log file analysis capabilities.
Real-time capture the flag (CTF) scoring engine for computer wargames with a fun game-like environment for learning cybersecurity skills.
A comprehensive guide to incident response and computer forensics, covering the entire lifecycle of incident response and remediation.
Windows Event Log Analyzer with logon timeline generator and noise reduction for fast forensics.
A collaborative and open-source incident response platform for sharing observables among analysts.
Python command line utility for incident response in AWS
A practical guide to enhancing digital investigations with cutting-edge memory forensics techniques, covering fundamental concepts, tools, and techniques for memory forensics.
Level 400 training to become a Microsoft Sentinel Ninja.
Visualize and analyze network relationships with AfterGlow
Ansible role for deploying and managing Bifrozt honeypots
Collects and organizes Linux OS data for detailed analysis and incident response.
Zenduty's platform provides real-time operational health monitoring and incident response orchestration to improve incident response times and build a solid on-call culture.
A tool to remove malicious artifacts from Microsoft Office documents, preventing malware infections and data breaches.
A cybersecurity incident management platform for tracking and reporting incidents with agility and speed.
A tool that generates Yara rules for strings and their XOR encoded versions, as well as base64-encoded variations with different padding possibilities.
A DFIR console integrating various cybersecurity tools and frameworks for efficient incident response.
Modern digital forensics and incident response platform with comprehensive tools.
eCrimeLabs provides a SOAR platform for threat detection and response, integrated with MISP.
A cybersecurity tool for collecting and analyzing forensic artifacts on live systems.
Repository of templates for Ayehu's workflows with the ability to design, execute, and automate IT and business processes.
Automated Digital Forensics and Incident Response (DFIR) software for rapid incident response and intrusion investigations.
AhnLab PLUS is a unified security platform providing comprehensive cybersecurity solutions for businesses.
Open Source computer forensics platform with modular design for easy automation and scripting.
A module-based AWS response tool for incident response in AWS environments.
Comprehensive documentation for ThreatConnect's REST API and SDKs.
A powerful tool for hiding the true location of your Teamserver, evading detection from Incident Response, redirecting users, blocking specific IP addresses, and managing Malleable C2 traffic in Red Team engagements.
A multi-platform open source tool for triaging suspect systems and hunting for Indicators of Compromise (IOCs) across thousands of endpoints.
A threat hunting tool for Windows event logs to detect APT movements and decrease the time to uncover suspicious activity.
In-depth analysis of real-world attacks and threat tactics
A practical guide to developing a comprehensive security monitoring and incident response strategy, covering incident response fundamentals, threat analysis, and data analysis.
Falcon Sandbox is a malware analysis framework that provides in-depth static and dynamic analysis of files, offering hybrid analysis, behavior indicators, and integrations with various security tools.
A community-led project focused on standardizing security event logs.
Open-source, free, and scalable cyber threat intelligence and security incident response solution with improved performance and new features.
A simple honeypot that opens a listening socket and waits for connection attempts, with configurable reply and event handling
YARA-Endpoint is a client-server architecture tool that can be used for endpoint protection and incident response.
A reliable end-to-end DFIR solution for boosting cyber incident response and forensics capacity.
Serverless, real-time data analysis framework for incident detection and response.
A library to access the Expert Witness Compression Format (EWF) for digital forensics and incident response.
Stenographer is a high-performance full-packet-capture utility for intrusion detection and incident response purposes.
ELAT (Event Log Analysis Tool) is a tool that helps in analyzing Windows event logs for malware detection.
A structured approach to managing and responding to suspected security events or incidents.
A comprehensive and unrestricted dataset of security incidents for research and decision-making
Cortex is a tool for analyzing observables at scale and automating threat intelligence, digital forensics, and incident response.
Access a repository of Analytic Stories and security guides mapped to industry frameworks, with Splunk searches, machine learning algorithms, and playbooks for threat detection and response.
A platform for creating and managing fake phishing campaigns to raise awareness and train users to identify suspicious emails.
Incident response and digital forensics tool for transforming data sources and logs into graphs.
A public incident response process documentation used at PagerDuty
A tool collection for filtering and visualizing logon events, designed for experienced DFIR specialists in threat hunting and incident response.
A full featured script to visualize statistics from a Shockpot honeypot, based on Kippo-Graph and utilizing various PHP libraries.
The Trystero Project is a threat intelligence platform that measures email security efficacy and provides various tools and resources, while VMware Carbon Black offers endpoint protection and workload security solutions.
An Outlook add-in for reporting suspicious emails to security teams and tracking user behavior during awareness campaigns.
A Live Response collection script for Incident Response that automates the collection of artifacts from various Unix-like operating systems.
A container of PCAP captures mapped to the relevant attack tactic
A framework for accumulating, describing, and classifying actionable Incident Response techniques
Shuffle Automation provides an open-source platform for security orchestration, automation, and response.
Incident response platform for automating alert handling and incident response procedures.
A library to access and parse Windows XML Event Log (EVTX) format, useful for digital forensics and incident response.
A modular incident response framework in Powershell that uses Powershell Remoting to collect data for incident response and breach hunts.
A multithreaded YARA scanner for incident response or malware zoos.
A simple, self-contained modular host-based IOC scanner for incident responders.
Diffy is a digital forensics and incident response (DFIR) tool developed by Netflix's Security Intelligence and Response Team (SIRT) for scoping compromises across cloud instances.
A DFIR Playbook Spec based on YAML for collaborative incident response processes.
A comprehensive guide to investigating security incidents in popular cloud platforms, covering essential tools, logs, and techniques for cloud investigation and incident response.
A Go-based honeypot server for detecting and logging attacker activity
Graylog offers advanced log management and SIEM capabilities to enhance security and compliance across various industries.
Using Apache mod_rewrite rules to rewrite incident responder or security appliance requests to an innocuous website or the target's real website.
The Cybersecurity and Infrastructure Security Agency (CISA) is a government agency that provides alerts, advisories, and resources to help protect the United States' critical infrastructure from cyber threats.
A comprehensive guide for system administrators to detect and identify potential security threats on Windows 2000 systems.
A comprehensive guide to developing an incident response capability through intelligence-based threat hunting, covering theoretical concepts and real-life scenarios.
A condensed field guide for cyber security incident responders, covering incident response processes, attacker tactics, and practical techniques for handling incidents.
Incident Response Documentation tool for tracking findings and tasks.
Detailed analysis of the event-stream incident and actions taken by npm Security.
Open source web app for storing and searching Actor related data from users and public repositories.
A cybersecurity challenge where you play the role of an incident response consultant investigating an intrusion at Precision Widgets of North Dakota.
A PHP based web application for managing postmortems with pluggable features.
Templates for incident response run-books tailored for AWS environments based on NIST guidelines.
A set of scripts for collecting forensic data from Windows and Unix systems respecting the order of volatility.
View physical memory as files in a virtual file system for easy memory analysis and artifact access.
Pulsedive is a threat intelligence platform that provides frictionless threat intelligence for growing teams, offering features such as indicator enrichment, threat research, and API integration.
Tools to export data from MISP MySQL database for post-incident analysis and correlation.
Generate comprehensive reports about Windows systems with detailed system, security, networking, and USB information.
Get insights into the latest cybersecurity trends and expert advice on enhancing organizational security.
A Unix-based tool that scans for rootkits and other malware on a system, providing a detailed report of the scan results.
