Skip to content

TOP 20 Open-source tools every Blue Teamer should have

In this module we are going to explore the TOP 20 open source tools that every blue teamer should have:

The Hive

TheHive is a scalable 4-in-1 open source and free security incident response platform designed to make life easier for SOCs, CSIRTs, CERTs and any information security practitioner dealing with security incidents that need to be investigated and acted upon swiftly. Thanks to Cortex, our powerful free and open-source analysis engine, you can analyze (and triage) observables at scale using more than 100 analyzers.

Its official website:


OSSIM is an open-source security information and event management system (SIEM). It was developed in 2003. The project was acquired later by AT&T.

You can download it from here:


If you are into threat hunting than you probabilly heard of the HELK project. The HELK was developed by Roberto Rodriguez (Cyb3rWard0g) under GPL v3 License. The project was build based on the ELK stack in addition to other helpful tools like Spark, Kafka and so on.

Its official website: Cyb3rWard0g/HELK: The Hunting ELK - GitHub


Scanning is one of the required steps in every attacking operation. After gathering information about a target you need to move on to another step which is scanning. If you are into information security you should have Nmap in your arsenal. Nmap (The abbreviation of Network mapper) is the most powerful network scanner. It is free and open-source. It gives you the ability to perform different types of network scans in addition to other capabilities thanks to its provided scripts. Also, you can write your own NSE scripts.

You can download it from here:


Memory malware analysis is widely used for digital investigation and malware analysis. It refers to the act of analyzing a dumped memory image from a targeted machine after executing the malware to obtain multiple numbers of artifacts including network information, running processes, API hooks, kernel loaded modules, Bash history, etc. Volatility is the most suitable tool to do that. It is an open-source project developed by volatility foundation. It can be run on Windows,Linux and MacOS. Volatility supports different memory dump formats including dd, Lime format, EWF and many other files.

You can download Volatility from here:

Demisto Community Edition

Security Orchestration, Automation and Response or simply SOAR are very effective platforms and tools to avoid analysts fatigue by automating many repetitive security tasks. One of the most-known platforms is Demisto. The platform provides also many free playbooks.

You can download the community edition from here:


Communication and networking are vital for every modern organization. Making sure that all the networks of the organization are secure is a key mission. The most suitable tool that will help you monitor your network is definitely Wireshark. Wireshark is a free and open-source tool to help you analyse network protocols with deep inspection capabilities. It gives you the ability to perform live packet capturing or offline analysis. It supports many operating systems including Windows, Linux, MacOS, FreeBSD and many more systems.

You can download it from here:

Atomic Red Team

Atomic __Red Team__ allows every __security team__ to test their controls by executing simple "atomic tests" that exercise the same __techniques__ used by adversaries (all mapped to Mitre's ATT&CK)

Its official website:


Another threat simulation tool is Caldera.

CALDERA is an __automated__ adversary emulation system that performs post-compromise adversarial behavior within __WindowsEnterprise__ networks. It generates plans during operation using a planning system and a pre-configured adversary model based on the Adversarial Tactics, Techniques & Common Knowledge (ATT&CK™) project.

Its official website:


Intrusion detection systems are a set of devices or pieces of software that play a huge role in modern organizations to defend against intrusions and malicious activities. The role of network-based intrusion detection systems is to detect network anomalies by monitoring the inbound and outbound traffic. One of the most-used IDSs is Suricata. Suricata is an open-source IDS/IPS developed by the Open Information Security Foundation (OISF)

Its official website:

Zeek (Formely Bro IDS)

Zeek is one of the most popular and powerful NIDS. Zeek was known before by Bro. This network analysis platform is supported by a large community of experts. Thus, its documentation is very detailed and good.

Its official website:


OSSEC is a powerful host-based intrusion detection system. It provides Log-based Intrusion Detection (LIDs), Rootkit and Malware Detection, Compliance Auditing, File Integrity Monitoring (FIM) and many other capabilities.

Its official website:


OSQuery is a framework that is supported by many operating systems in order to perform system analytics and monitoring using simple queries. It uses SQL queries.

Its official website:

AccessData FTK Imager

Forensics imaging is a very important task in digital forensics. Imaging is copying the data carefully with ensuring its integrity and without leaving out a file because it is very critical to protect the evidence and make sure that it is properly handled. That is why there is a difference between normal file copying and imaging. Imaging is capturing the entire drive. When imaging the drive, the analyst image the entire physical volume including the master boot record. One of the used tools is "AccessData FTK Imager".

Its official website:


Malware analysis is the art of determining the functionality, origin and potential impact of a given malware sample, such as a virus, worm, trojan horse, rootkit, or backdoor. As a malware analyst, our main role is to collect all the information about malicious software and have a good understanding of what happened to the infected machines. The most-known malware sandbox is cuckoo.

Its official website:


Malware Information Sharing Platform or simply MISP is an open-source threat sharing platform where analysts collaborate and share information about the latest threats between them. The project was developed by Christophe Vandeplas and it is under GPL v3 license.

Its official website:


Another great reverse engineering tool is Ghidra. This project is open-source and it is maintained by the National Security Agency Research Directorate. Ghidra gives you the ability to analyze different file formats. It supports Windows, Linux and MacOS. You need to install Java in order to run it. The project comes with many helpful detailed training, documentation and cheat-sheets. Also, it gives you the ability to develop your own plugins using Java or Python.

Its official website is:


Another powerful network-based intrusion detection system is Snort. The project is very powerful and it was developed more than 5 million times. Thus, it is well documented and it is supported by a large community of network security experts.

Its official website:

Security Onion

If you are looking for a ready-to-use OS that contains many of the previously discussed tools you can simply download Security Onion. IT is a free and open-source Linux distribution for intrusion detection, enterprise security monitoring, and log management.

Its official website: