Security Testing
Explore 167 curated tools and resources
LATEST ADDITIONS
An API security platform that discovers, documents, and tests APIs throughout the development lifecycle while maintaining a centralized catalog of all API assets.
An automated red teaming and security testing platform that continuously evaluates conversational AI applications for vulnerabilities and compliance with security standards.
A DAST solution that performs automated security testing of APIs and web applications within development workflows and CI/CD pipelines.
An agentless API security platform that discovers, tests, and secures APIs through source code analysis without requiring traffic monitoring.
API Security is a comprehensive solution that provides continuous discovery, vulnerability assessment, threat detection, compliance monitoring, dynamic testing, and remediation capabilities to protect APIs against various threats and vulnerabilities.
Checkmarx One SAST is a static application security testing tool that combines speed and security to improve developer experience.
Veracode is an intelligent software security platform that helps developers and security teams secure code, find and fix flaws, and automate remediation.
A tool to find XSS vulnerabilities in web applications
A collection of XSS payloads designed to turn alert(1) into P1
A tool to detect, manage and exploit Blind Cross-site scripting (XSS) vulnerabilities.
A tool for testing and exploiting Cross-Site Scripting (XSS) vulnerabilities.
A scripting engine for interacting with GraphQL endpoints for pentesting purposes.
A small script to check a list of domains against open redirect vulnerability
A collection of payloads and methodologies for web pentesting.
A Python-based web application scanner for OSINT and fuzzing OWASP vulnerabilities
A tool to escalate SSRF vulnerabilities on modern cloud environments
A simple Swagger-ui scanner that detects old versions vulnerable to various XSS attacks
Automated web application testing tool
A tool for automated HTTP header injection
A tool for identifying and extracting parameters from HTTP requests and responses
Converts the format of various S3 buckets for bug bounty and security testing.
A command-line tool for identifying NoSQL injection vulnerabilities in MongoDB databases
A tool for testing subdomain takeover possibilities at a mass scale.
A Burp Suite extension for sending large numbers of HTTP requests and analyzing the results.
Fuzzilli is a JavaScript engine fuzzer that helps identify vulnerabilities in JavaScript engines.
Command line tool for testing CRLF injection on a list of domains.
A Burp Suite extension that formats GraphQL requests for easier reading
A toolkit for detecting and tracking Blind XSS, XXE, and SSRF vulnerabilities
A free online tool to scan for DOM-based XSS vulnerabilities in HTML, JavaScript, and CSS files.
A simple Python script to test for a hypothetical JWT vulnerability
SSH Honeypot written in Go that records commands and IP addresses of attempted logins.
Self-hosted Fuzzing-As-A-Service platform for continuous developer-driven fuzzing.
A comprehensive collection of security assessment lists for security testers.
A honeypot that emulates a Belkin N300 Home Wireless router with default setup to observe traffic
An extensible and open-source system for running, monitoring, and managing honeypots with advanced features.
Technique used to forward one URL to another.
A honeypot for remote file inclusion (RFI) and local file inclusion (LFI) using fake URLs to catch scanning bots and malwares.
IMAP-Honey is a honeypot tool for IMAP and SMTP protocols with support for logging to console or syslog.
A simple file format fuzzer for Android that can fuzz multiple readers at once
Endlessh is an SSH tarpit that traps SSH clients by sending an endless, random SSH banner.
A tool for testing and analyzing RFID and NFC tags, allowing users to read and write data, and perform various attacks and tests.
A comprehensive open dictionary of fault injection patterns and predictable resource locations for dynamic application security testing
Automatic authorization enforcement detection extension for Burp Suite
A customizable offensive security reporting solution for pentesters and red teamers to generate detailed reports of their findings and vulnerabilities.
A vulnerable Android application demonstrating various security issues and vulnerabilities
A utility to generate malicious network traffic for security evaluation.
Static application security testing (SAST) tool for scanning source code against security and privacy risks.
Tcpreplay is a network traffic editing and replay tool used for testing network devices and applications.
App-Ray offers comprehensive security analysis and compliance solutions for mobile applications.
A framework for building code injection vulnerability testbeds
testssl.sh is a free command line tool for checking server's TLS/SSL configurations with clear and machine-readable output.
A vulnerability scanner that helps you identify and fix vulnerabilities in your code
A comprehensive checklist for securing Android apps
ElasticSearch honeypot to capture attempts to exploit CVE-2014-3120, with logging and daemon options.
GNU/Linux Wireless distribution for security testing with XFCE desktop environment.
Repository of tools for testing iPhone messaging by Project Zero
Fast, smart, effective port scanner with extensive extendability and adaptive learning.
A dynamic infrastructure framework for efficient multi-cloud security operations and distributed scanning.
LaBrea is a 'sticky' honeypot and IDS tool that traps malicious actors by creating virtual servers on unused IP addresses.
A series of small test cases designed to exercise different parts of a static security analyzer
A tool to profile web applications based on response time discrepancies.
A series of vulnerable virtual machine images with documentation to teach Linux, Apache, PHP, MySQL security.
A Linux distribution designed for threat emulation and threat hunting, integrating attacker and defender tools for identifying threats in your environment.
A VM for mobile application security testing, Android and iOS applications, with custom-made tools and scripts.
Adversary emulation framework for testing security measures in network environments.
A WebSocket Manipulation Proxy with a user interface to capture, intercept, and send custom messages for WebSocket and Socket.IO communications.
A collection of real-world scenarios to evaluate command injection detection and exploitation abilities
Android vulnerability analysis system with efficient scanning and high accuracy.
A massive SQL injection vulnerability scanner
A proof-of-concept for an adaptive parallelised DNS prober
Chameleon aids in evading proxy categorization to bypass internet filters.
Create a vulnerable active directory for testing various Active Directory attacks.
A vulnerable web site in NodeJS for testing security source code analyzers.
HoneyDrive is the premier honeypot Linux distro with over 10 pre-installed honeypot software packages and numerous analysis tools.
DET (extensible) Data Exfiltration Toolkit is a proof of concept tool for performing Data Exfiltration using multiple channels simultaneously.
A comprehensive guide to Nessus, a vulnerability scanner, covering data directories, binary directories, logs directories, plugin directories, advanced settings, API, and good practices.
Snort 3 is the next generation Snort IPS with enhanced features and improved cross-platform support.
Introspy-Android is a blackbox tool for understanding Android app behavior and identifying security issues at runtime.
APKiD is a tool that identifies compilers, packers, obfuscators, and other weird stuff in APK files.
An open-source tool for detecting and analyzing Android apps' vulnerabilities and security issues.
OWASP OWTF is a penetration testing framework focused on efficiency and alignment with security standards.
A platform offering hacking missions to test and enhance skills.
Platform for users to test cybersecurity skills by exploiting vulnerabilities.
A modified version of OpenSSH deamon forwarding commands to Cowrie for logging brute force attacks and shell interactions.
King Phisher is a phishing campaign toolkit for testing and promoting user awareness through simulated attacks.
A structured approach for conducting penetration tests with seven main sections covering all aspects of the test.
A Ruby framework designed to aid in the penetration testing of WordPress systems.
A utility for testing AWS Lambda functions for SQL Injection vulnerabilities using SQLMap attacks.
SAST and malware analysis tool for Android APKs with detailed scan information.
Frontpage of the IO wargame with various versions and connection details.
A simple Docker-based honeypot to detect port scanning
Modlishka is a reverse proxy tool for intercepting and manipulating HTTP traffic, ideal for penetration testers, security researchers, and developers to analyze and test web applications.
Mortar is an evasion technique to defeat and divert detection and prevention of security products, including AV, EDR, and XDR solutions.
Script for turning a Raspberry Pi into a Honey Pot Pi with various monitoring and logging capabilities.
A script for setting up a dionaea and kippo honeypot using Docker images.
A basic Flask-based Outlook Web App (OWA) honeypot for cybersecurity experimentation.
An open-source framework for testing and validating the security of AWS services and resources.
A powerful penetration testing platform for identifying vulnerabilities and weaknesses in computer systems.
Ansible role for deploying and managing Bifrozt honeypots
Fake SSH server that sends push notifications for login attempts
JARM is a TLS server fingerprinting tool used for identifying server configurations and malicious infrastructure.
XSS Polyglot Challenge - XSS payload running in multiple contexts for testing XSS.
Kali Linux is a specialized Linux distribution for cybersecurity professionals, focusing on penetration testing and security auditing.
Tcpdump is a command-line packet analyzer for capturing and analyzing network traffic.
CHIPSEC is a framework for analyzing the security of PC platforms and components, with tools for low-level interfaces and forensic capabilities.
Linux-based operating system intentionally vulnerable for cybersecurity practice.
A virtual machine with numerous security vulnerabilities for testing exploits with Metasploit.
A tool for finding AWS credentials in files, optimized for Jenkins integration.
A honeypot mimicking Tomcat manager endpoints to log requests and save attacker's WAR files for analysis.
DueDLLigence is an open-source tool for identifying and analyzing DLL hijacking vulnerabilities in Windows applications, providing automated analysis and remediation guidance.
A deliberately weak and insecure implementation of GraphQL for testing and practicing GraphQL security
LeakIX is a red-team search engine that indexes mis-configurations and vulnerabilities online.
A live archive of DEF CON CTF challenges, vulnerable by design, for hackers to play safely.
A Docker container that starts a SSH honeypot and reports statistics to the SANS ISC DShield project
An open-source Python software for creating honeypots and honeynets securely.
A simple Elasticsearch honeypot to catch attackers exploiting RCE vulnerabilities.
SSLyze is a fast and powerful SSL/TLS scanning tool and Python library with a focus on speed, reliability, and ease of integration.
A wargaming network for penetration testers to practice their skills in a realistic environment.
A guide to brute forcing DVWA on the high security level with anti-CSRF tokens
A simple honeypot that opens a listening socket and waits for connection attempts, with configurable reply and event handling
Python utility for testing the existence of domain names under different TLDs to find malicious subdomains.
Static security code scanner (SAST) for Node.js applications with Docker support and integrations with Slack.
A lightweight web security auditing toolkit that simplifies security tasks and enhances productivity.
A free online tool that scans and fixes common security issues in WordPress websites.
A security oriented, feedback-driven, evolutionary, easy-to-use fuzzer with interesting analysis options.
Open source penetration testing tool for detecting and exploiting command injection vulnerabilities.
Simple script to check a domain's email protections and identify vulnerabilities.
A security testing framework for Android with tools to search for vulnerabilities and interact with the Android Runtime.
A printer honeypot PoC that simulates a printer on a network to detect and analyze potential attackers.
Cloud Container Attack Tool (CCAT) is a tool for testing security of container environments.
A low-interaction honeypot that logs IP addresses, usernames, and passwords used by clients connecting via SSH, primarily used for gathering intelligence on brute force attacks.
Fuzzapi is a Rails application with a user-friendly UI for API_Fuzzer gem and Docker setup.
HoneyThing is a honeypot for Internet of TR-069 things, emulating vulnerabilities and supporting TR-069 protocol.
Steganography brute-force utility with performance issues, deprecated in favor of stegseek.
Automated script to install and deploy a honeypot with kippo, dionaea, and p0f on Ubuntu 12.04.
A vulnerable web site for testing Sentinel features
Gamma Ray is a software that helps developers to look for vulnerabilities on their Node.js applications with a pluggable infrastructure for integration with vulnerabilities databases.
Emulate operating systems behind SSH servers for testing automation.
A proof of concept for using the SSM Agent in Fargate for incident response
PINNED
InfoSecHired
An AI-powered career platform that automates the creation of cybersecurity job application materials and provides company-specific insights for job seekers.
Commercial
Resources
Fabric Platform by BlackStork
Fabric Platform is a cybersecurity reporting solution that automates and standardizes report generation, offering a private-cloud platform, open-source tools, and community-supported templates.
Free
Security Operations
Mandos Brief Newsletter
Stay ahead in cybersecurity. Get the week's top cybersecurity news and insights in 8 minutes or less.
Free
Blogs and News
Wiz
Wiz Cloud Security Platform is a cloud-native security platform that enables security, dev, and devops to work together in a self-service model, detecting and preventing cloud security threats in real-time.
Commercial
Cloud Security
RoboShadow
A cybersecurity platform that offers vulnerability scanning, Windows Defender and 3rd party AV management, and MFA compliance reporting, among other features.
Commercial
Vulnerability Management
Adversa AI
Adversa AI is a cybersecurity company that provides solutions for securing and hardening machine learning, artificial intelligence, and large language models against adversarial attacks, privacy issues, and safety incidents across various industries.
Commercial
AI Security