Threat Hunting
Explore 96 curated tools and resources
Search by name, description, or purpose... (⌘+K)
PINNED
Promoted • 4 toolsCommercial
Data Protection
Commercial
Network Security
Commercial
Consulting
Commercial
Vulnerability Management
Want your tool featured here?
Get maximum visibility with pinned placement
LATEST ADDITIONS
A managed security service providing comprehensive endpoint protection, XDR capabilities, and 24/7 managed detection and response across multiple platforms and environments.
A managed security service providing comprehensive endpoint protection, XDR capabilities, and 24/7 managed detection and response across multiple platforms and environments.
A network detection and response platform that uses machine learning to analyze network metadata for threat detection without requiring hardware sensors or being affected by encryption.
A network detection and response platform that uses machine learning to analyze network metadata for threat detection without requiring hardware sensors or being affected by encryption.
A cyber threat intelligence platform that provides actionable insights from adversarial sources to help organizations proactively detect and mitigate emerging threats.
A cyber threat intelligence platform that provides actionable insights from adversarial sources to help organizations proactively detect and mitigate emerging threats.
A comprehensive external cybersecurity platform that combines AI and human expertise to detect, analyze, and remediate threats outside the traditional security perimeter including brand impersonation, data leakage, and digital asset exposure.
A comprehensive external cybersecurity platform that combines AI and human expertise to detect, analyze, and remediate threats outside the traditional security perimeter including brand impersonation, data leakage, and digital asset exposure.
Silobreaker is an intelligence platform that processes unstructured data from open and dark web sources to support cyber threat intelligence, vulnerability management, and risk assessment workflows.
Silobreaker is an intelligence platform that processes unstructured data from open and dark web sources to support cyber threat intelligence, vulnerability management, and risk assessment workflows.
Silent Push Platform provides preemptive cyber defense by identifying malicious infrastructure before attacks are launched using Indicators of Future Attack (IOFA)™ technology.
Silent Push Platform provides preemptive cyber defense by identifying malicious infrastructure before attacks are launched using Indicators of Future Attack (IOFA)™ technology.
HYAS Insight is a threat intelligence platform that provides infrastructure intelligence and cyber threat hunting capabilities for security operations, fraud investigations, and adversary profiling.
HYAS Insight is a threat intelligence platform that provides infrastructure intelligence and cyber threat hunting capabilities for security operations, fraud investigations, and adversary profiling.
Darkscope is an AI-powered threat intelligence platform that uses virtual personas to monitor the dark web, social media, and deep web for cyber threats and security risks targeting organizations.
Darkscope is an AI-powered threat intelligence platform that uses virtual personas to monitor the dark web, social media, and deep web for cyber threats and security risks targeting organizations.
Zero Day Live is a threat intelligence platform that provides early detection of malware and zero-day vulnerabilities through a proprietary sensor network processing over 1 billion data points.
Zero Day Live is a threat intelligence platform that provides early detection of malware and zero-day vulnerabilities through a proprietary sensor network processing over 1 billion data points.
A network detection and response solution that uses AI and machine learning to monitor network traffic, identify malicious behavior, and connect related security events to reveal attack patterns without requiring endpoint agents.
A network detection and response solution that uses AI and machine learning to monitor network traffic, identify malicious behavior, and connect related security events to reveal attack patterns without requiring endpoint agents.
A tiered cyber threat intelligence service providing detection rules from public repositories with varying levels of analysis, processing, and guidance for security teams.
A tiered cyber threat intelligence service providing detection rules from public repositories with varying levels of analysis, processing, and guidance for security teams.
InSights by InQuest is a threat intelligence platform that delivers curated feeds of IOCs and C2 information to help security teams detect and respond to emerging threats.
InSights by InQuest is a threat intelligence platform that delivers curated feeds of IOCs and C2 information to help security teams detect and respond to emerging threats.
A threat intelligence platform that collects, analyzes, and operationalizes threat data from multiple sources to help organizations identify and respond to security threats.
A threat intelligence platform that collects, analyzes, and operationalizes threat data from multiple sources to help organizations identify and respond to security threats.
A mapping tool that correlates MITRE ATT&CK techniques with atomic tests and detection rules to analyze security detection coverage.
A mapping tool that correlates MITRE ATT&CK techniques with atomic tests and detection rules to analyze security detection coverage.
A threat intelligence platform that monitors, analyzes, and provides detailed information about threat actors targeting non-human identities across various industries.
A threat intelligence platform that monitors, analyzes, and provides detailed information about threat actors targeting non-human identities across various industries.
An AI-powered platform that automates threat hunting and analysis by processing cyber threat intelligence and generating customized hunt packages for SOC teams.
An AI-powered platform that automates threat hunting and analysis by processing cyber threat intelligence and generating customized hunt packages for SOC teams.
A comprehensive guide on Linux persistence mechanisms, focusing on scheduled tasks and jobs, their implementation, detection, and hunting strategies.
A comprehensive guide on Linux persistence mechanisms, focusing on scheduled tasks and jobs, their implementation, detection, and hunting strategies.
The Ransomware Tool Matrix is a repository that lists and categorizes tools used by ransomware gangs, aiding in threat hunting, incident response, and adversary emulation.
The Ransomware Tool Matrix is a repository that lists and categorizes tools used by ransomware gangs, aiding in threat hunting, incident response, and adversary emulation.
Wazuh is an open-source security platform offering unified XDR and SIEM protection for endpoints and cloud workloads, integrating various security functions into a single architecture.
Wazuh is an open-source security platform offering unified XDR and SIEM protection for endpoints and cloud workloads, integrating various security functions into a single architecture.
Akamai Hunt is a managed threat hunting service that detects and remediates evasive security risks in network environments using data analysis, AI, and expert investigation.
Akamai Hunt is a managed threat hunting service that detects and remediates evasive security risks in network environments using data analysis, AI, and expert investigation.
CrowdStrike Falcon Insight XDR is an AI-powered endpoint detection and response solution that provides comprehensive protection, visibility, and automated response capabilities.
CrowdStrike Falcon Insight XDR is an AI-powered endpoint detection and response solution that provides comprehensive protection, visibility, and automated response capabilities.
SentinelOne Purple AI is an AI-powered security analyst solution that simplifies threat hunting and investigations, empowers analysts, accelerates security operations, and safeguards data.
SentinelOne Purple AI is an AI-powered security analyst solution that simplifies threat hunting and investigations, empowers analysts, accelerates security operations, and safeguards data.
Kunai is a Linux-based system monitoring tool that provides real-time monitoring and threat hunting capabilities.
A comprehensive resource for threat hunting in Active Directory environments, covering tracking command-line/PowerShell activity, Kerberoasting detection, auditing attacker activity, and monitoring enterprise command-line activity.
A comprehensive resource for threat hunting in Active Directory environments, covering tracking command-line/PowerShell activity, Kerberoasting detection, auditing attacker activity, and monitoring enterprise command-line activity.
Modular Threat Hunting Tool & Framework
A high-interaction honeypot solution for detecting and analyzing SMB-based attacks
A free and open-source OSINT framework for gathering and analyzing data from various sources
A free and open-source OSINT framework for gathering and analyzing data from various sources
A collection of tools and resources for threat hunters.
A repository to aid Windows threat hunters in looking for common artifacts.
A repository to aid Windows threat hunters in looking for common artifacts.
A threat hunting capability that leverages Sysmon and MITRE ATT&CK on Azure Sentinel
A threat hunting capability that leverages Sysmon and MITRE ATT&CK on Azure Sentinel
Intezer is a cloud-based malware analysis platform that detects and classifies malware using genetic code analysis.
Intezer is a cloud-based malware analysis platform that detects and classifies malware using genetic code analysis.
A runtime threat management and attack path enumeration tool for cloud-native environments
A runtime threat management and attack path enumeration tool for cloud-native environments
A comprehensive Threat Intelligence Program Management Solution for managing the entire CTI lifecycle.
A comprehensive Threat Intelligence Program Management Solution for managing the entire CTI lifecycle.
A honeypot designed to detect and analyze malicious activities in instant messaging platforms.
A honeypot designed to detect and analyze malicious activities in instant messaging platforms.
A comprehensive incident response and threat hunting tool for Google Cloud Platform, providing logs and forensic data for effective incident response and threat hunting.
A comprehensive incident response and threat hunting tool for Google Cloud Platform, providing logs and forensic data for effective incident response and threat hunting.
A community-driven repository of pre-built security analytics queries and rules for monitoring and detecting threats in Google Cloud environments across various log sources and activity types.
A community-driven repository of pre-built security analytics queries and rules for monitoring and detecting threats in Google Cloud environments across various log sources and activity types.
A Splunk app mapped to MITRE ATT&CK to guide threat hunts.
Threat intelligence and digital risk protection platform
PyIOCe is a Python-based OpenIOC editor that enables security professionals to create, edit, and manage Indicators of Compromise for threat intelligence and incident response operations.
PyIOCe is a Python-based OpenIOC editor that enables security professionals to create, edit, and manage Indicators of Compromise for threat intelligence and incident response operations.
HoneyDB is a honeypot-based threat intelligence platform that provides real-time insights into attacker behavior and malicious activity on networks.
HoneyDB is a honeypot-based threat intelligence platform that provides real-time insights into attacker behavior and malicious activity on networks.
A program to extract IOCs from text files using regular expressions
A program to extract IOCs from text files using regular expressions
A web-based visualization tool for navigating and annotating MITRE ATT&CK matrices to support threat analysis, defensive planning, and security coverage assessment.
A web-based visualization tool for navigating and annotating MITRE ATT&CK matrices to support threat analysis, defensive planning, and security coverage assessment.
A collection of YARA rules for research and hunting purposes.
A collection of YARA rules for research and hunting purposes.
Tool for visualizing correspondences between YARA ruleset and samples
Tool for visualizing correspondences between YARA ruleset and samples
A Linux distribution designed for threat emulation and threat hunting, integrating attacker and defender tools for identifying threats in your environment.
A Linux distribution designed for threat emulation and threat hunting, integrating attacker and defender tools for identifying threats in your environment.
A PowerShell module for threat hunting and security analysis through Windows Event Log processing and malicious activity detection.
A PowerShell module for threat hunting and security analysis through Windows Event Log processing and malicious activity detection.
A community-driven informational repository providing resources and guidance for hunting adversaries in IT environments.
A community-driven informational repository providing resources and guidance for hunting adversaries in IT environments.
FireEye Mandiant SunBurst Countermeasures: freely available rules for detecting malicious files and activity
FireEye Mandiant SunBurst Countermeasures: freely available rules for detecting malicious files and activity
Threat hunting tool leveraging Windows events for identifying outliers and suspicious behavior.
Threat hunting tool leveraging Windows events for identifying outliers and suspicious behavior.
Comprehensive endpoint protection platform providing unified visibility and security for cloud workloads, endpoints, and containers.
Comprehensive endpoint protection platform providing unified visibility and security for cloud workloads, endpoints, and containers.
Lists of sources and utilities to hunt, detect, and prevent evildoers.
Lists of sources and utilities to hunt, detect, and prevent evildoers.
A digital forensics tool that extracts and analyzes Windows AppCompat and AmCache registry data for enterprise-scale forensic investigations.
A digital forensics tool that extracts and analyzes Windows AppCompat and AmCache registry data for enterprise-scale forensic investigations.
Daily feed of bad IPs with blacklist hit scores for cybersecurity professionals to stay informed about malicious IP addresses.
Daily feed of bad IPs with blacklist hit scores for cybersecurity professionals to stay informed about malicious IP addresses.
Highlighter is a FireEye Market app that integrates with FireEye products to provide enhanced cybersecurity capabilities.
Highlighter is a FireEye Market app that integrates with FireEye products to provide enhanced cybersecurity capabilities.
Signature-based YARA rules for detecting and preventing threats within Linux, Windows, and macOS systems.
Signature-based YARA rules for detecting and preventing threats within Linux, Windows, and macOS systems.
Repository of scripts, signatures, and IOCs related to various malware analysis topics.
Repository of scripts, signatures, and IOCs related to various malware analysis topics.
A Security Orchestration, Automation and Response (SOAR) platform for incident response and threat hunting.
A Security Orchestration, Automation and Response (SOAR) platform for incident response and threat hunting.
ChopShop is a MITRE framework that helps analysts create pynids-based decoders and detectors for identifying APT tradecraft in network traffic.
ChopShop is a MITRE framework that helps analysts create pynids-based decoders and detectors for identifying APT tradecraft in network traffic.
A community-driven open source project providing interactive notebooks with detection logic, adversary tradecraft, and resources organized according to MITRE ATT&CK framework for threat hunting and detection development.
A community-driven open source project providing interactive notebooks with detection logic, adversary tradecraft, and resources organized according to MITRE ATT&CK framework for threat hunting and detection development.
Cisco Secure Endpoint is a cloud-native endpoint security solution that provides advanced protection and response to threats.
Cisco Secure Endpoint is a cloud-native endpoint security solution that provides advanced protection and response to threats.
Unified defense platform providing endpoint protection, extended detection and response, threat hunting, and digital forensics and incident response.
Unified defense platform providing endpoint protection, extended detection and response, threat hunting, and digital forensics and incident response.
Collection of YARA signatures from recent malware research.
Collection of YARA signatures from recent malware research.
Strelka is a real-time, container-based file scanning system that performs file extraction and metadata collection at enterprise scale for threat hunting, detection, and incident response.
Strelka is a real-time, container-based file scanning system that performs file extraction and metadata collection at enterprise scale for threat hunting, detection, and incident response.
Utilize Jupyter Notebooks to enhance threat hunting capabilities by focusing on different threat categories or stages.
Utilize Jupyter Notebooks to enhance threat hunting capabilities by focusing on different threat categories or stages.
Blue-team capture the flag competition for improving cybersecurity skills.
Blue-team capture the flag competition for improving cybersecurity skills.
A low-interaction honeypot for detecting and analyzing potential attacks on Android devices via ADB over TCP/IP
A low-interaction honeypot for detecting and analyzing potential attacks on Android devices via ADB over TCP/IP
Sigma is a generic and open signature format for SIEM systems and other security tools to detect and respond to threats.
Sigma is a generic and open signature format for SIEM systems and other security tools to detect and respond to threats.
Unified repository for Microsoft Sentinel and Microsoft 365 Defender containing security content, detections, queries, playbooks, and resources to secure environments and hunt for threats.
Unified repository for Microsoft Sentinel and Microsoft 365 Defender containing security content, detections, queries, playbooks, and resources to secure environments and hunt for threats.
RiskAnalytics Solutions offers community projects for cyber threat intelligence sharing and collaboration.
RiskAnalytics Solutions offers community projects for cyber threat intelligence sharing and collaboration.
INE Security offers a range of cybersecurity certifications, including penetration testing, mobile and web application security, and incident response.
INE Security offers a range of cybersecurity certifications, including penetration testing, mobile and web application security, and incident response.
QRadio is a tool/framework designed to consolidate cyber threats intelligence sources.
QRadio is a tool/framework designed to consolidate cyber threats intelligence sources.
Bitscout is a Bash-based live OS constructor tool for building customizable forensic environments used in remote system triage, malware hunting, and digital forensics investigations.
Bitscout is a Bash-based live OS constructor tool for building customizable forensic environments used in remote system triage, malware hunting, and digital forensics investigations.
A comprehensive guide to incident response, providing effective techniques for responding to advanced attacks against local and remote network resources.
A comprehensive guide to incident response, providing effective techniques for responding to advanced attacks against local and remote network resources.
Root the Box is a real-time CTF scoring engine that provides a configurable platform for cybersecurity training through gamified wargames and competitions.
Root the Box is a real-time CTF scoring engine that provides a configurable platform for cybersecurity training through gamified wargames and competitions.
Level 400 training to become a Microsoft Sentinel Ninja.
Level 400 training to become a Microsoft Sentinel Ninja.
Visualize and analyze network relationships with AfterGlow
Windows event log fast forensics timeline generator and threat hunting tool.
Windows event log fast forensics timeline generator and threat hunting tool.
Powershell Threat Hunting Module for scanning remote endpoints and collecting comprehensive information.
Powershell Threat Hunting Module for scanning remote endpoints and collecting comprehensive information.
Unfetter is a reference implementation framework that collects events from client machines and performs CAR analytics using an ELK stack with Apache Spark to detect potential adversary activity.
Unfetter is a reference implementation framework that collects events from client machines and performs CAR analytics using an ELK stack with Apache Spark to detect potential adversary activity.
Open Source Threat Intelligence Gathering and Processing Framework
A cybersecurity tool for collecting and analyzing forensic artifacts on live systems.
A cybersecurity tool for collecting and analyzing forensic artifacts on live systems.
Repository of Yara Rules created by TjNel.
A comprehensive repository of open-source security tools organized by attack phases for red team operations, adversary simulation, and threat hunting purposes.
A comprehensive repository of open-source security tools organized by attack phases for red team operations, adversary simulation, and threat hunting purposes.
Fast suspicious file finder for threat hunting and live forensics.
Fast suspicious file finder for threat hunting and live forensics.
A threat hunting tool for Windows event logs to detect APT movements and decrease the time to uncover suspicious activity.
A threat hunting tool for Windows event logs to detect APT movements and decrease the time to uncover suspicious activity.
A library of event-based analytics written in EQL to detect adversary behaviors identified in MITRE ATT&CK, providing detection rules for the Elastic Stack.
A library of event-based analytics written in EQL to detect adversary behaviors identified in MITRE ATT&CK, providing detection rules for the Elastic Stack.
PolySwarm is a malware intelligence marketplace that aggregates threat detection engines to provide early detection, unique samples, and higher accuracy.
PolySwarm is a malware intelligence marketplace that aggregates threat detection engines to provide early detection, unique samples, and higher accuracy.
An Open Source solution for management of Threat Intelligence at scale, integrating multiple analyzers and malware analysis tools.
An Open Source solution for management of Threat Intelligence at scale, integrating multiple analyzers and malware analysis tools.
Cortex is a tool for analyzing observables at scale and automating threat intelligence, digital forensics, and incident response.
Cortex is a tool for analyzing observables at scale and automating threat intelligence, digital forensics, and incident response.
A tool collection for filtering and visualizing logon events, designed for experienced DFIR specialists in threat hunting and incident response.
A tool collection for filtering and visualizing logon events, designed for experienced DFIR specialists in threat hunting and incident response.
The Trystero Project is a threat intelligence platform that measures email security efficacy and provides various tools and resources, while VMware Carbon Black offers endpoint protection and workload security solutions.
The Trystero Project is a threat intelligence platform that measures email security efficacy and provides various tools and resources, while VMware Carbon Black offers endpoint protection and workload security solutions.
A container of PCAP captures mapped to the relevant attack tactic
Container of 200 Windows EVTX samples for testing detection scripts and training on DFIR.
Container of 200 Windows EVTX samples for testing detection scripts and training on DFIR.
A comprehensive guide to developing an incident response capability through intelligence-based threat hunting, covering theoretical concepts and real-life scenarios.
A comprehensive guide to developing an incident response capability through intelligence-based threat hunting, covering theoretical concepts and real-life scenarios.
Pulsedive is a threat intelligence platform that provides frictionless threat intelligence for growing teams, offering features such as indicator enrichment, threat research, and API integration.
Pulsedive is a threat intelligence platform that provides frictionless threat intelligence for growing teams, offering features such as indicator enrichment, threat research, and API integration.
msticpy is a Python library for InfoSec investigation and threat hunting in Jupyter Notebooks, providing data querying, threat intelligence enrichment, analysis capabilities, and interactive visualizations.
msticpy is a Python library for InfoSec investigation and threat hunting in Jupyter Notebooks, providing data querying, threat intelligence enrichment, analysis capabilities, and interactive visualizations.
