A curated list of Advanced Persistent Threat (APT) frameworks, tools, resources, software, and tutorials. This list aims to help security researchers, threat hunters, and defenders find everything related to APT attacks and defense in one place.
Please take a quick look at the contribution first. If you know a tool that isn't present here, feel free to open a pull request.
It takes time to build up a collection of tools used in APT research and remember them all. This repo helps to keep all these scattered tools in one place.
- MITRE ATT&CK Navigator – Visualize and plan ATT&CK matrices.
- CALDERA – Automated adversary emulation system by MITRE.
- Atomic Red Team – ATT&CK-based test cases.
- Cobalt Strike – Commercial adversary emulation platform.
- Sliver – Open-source red team C2 and implants.
- Metasploit Framework – Exploit and post-exploitation framework.
- Red Team Toolkit – Collection of red team tools.
- Red Hunt Labs APT Simulator – Windows APT activity simulator.
- AttackIQ – Commercial adversary emulation platform.
- SafeBreach – Continuous breach validation platform.
- Picus Security – Threat-based security validation.
- ThreatQ – Threat intelligence integrated simulation platform.
- Gophish – Open-source phishing toolkit.
- King Phisher – Phishing campaign tool.
- Social-Engineer Toolkit – Social engineering attack framework.
- ReelPhish – Real-time two-factor phishing tool.
- Evilginx2 – Reverse proxy phishing framework.
- MailSniper – Email reconnaissance and phishing tool.
- Phishery – Simple phishing credential harvester.
- Modlishka – Advanced reverse proxy phishing tool.
- Impacket – Network protocol toolkit often used for credential access and persistence.
- PowerSploit – PowerShell post-exploitation modules.
- SharPersist – Windows persistence toolkit.
- WMIExec – WMI-based execution and persistence.
- DLL Hijacking – DLL search order hijacking reference.
- Startup Folder Persistence – Startup folder persistence technique.
- Scheduled Tasks – Scheduled task persistence reference.
- Service Registry Persistence – Windows service persistence.
- CrackMapExec – Swiss army knife for Windows network environments.
- BloodHound – Active Directory relationship and attack path analysis.
- Mimikatz – Credential extraction and privilege escalation tool.
- PsExec – Execute processes on remote Windows systems.
- Impacket SMBExec – Remote command execution over SMB.
- Responder – LLMNR/NBT-NS poisoning and credential capture.
- PowerView – Active Directory reconnaissance framework.
- SharpHound – Data collector for BloodHound.
- Rubeus – Kerberos abuse and ticket manipulation.
- Kerbrute – Kerberos brute force and enumeration tool.
- Covenant – .NET based C2 framework.
- Havoc – Modern and modular post-exploitation framework.
- Merlin – HTTP/2 based cross-platform C2.
- PoshC2 – PowerShell and Python command and control framework.
- Mythic – Collaborative red teaming platform.
- DeimosC2 – Modular cross-platform C2.
- TrevorC2 – Legitimate website based C2 channel.
- QuasarRAT – Remote administration and C2 tool.
- AsyncRAT – Open-source remote access tool.
- Sliver – Cross-platform implant and C2 framework.
- DNSExfiltrator – Data exfiltration over DNS queries.
- DET – Data exfiltration toolkit.
- Cloakify – Transform data into harmless looking text.
- Egress-Assess – Test outbound data paths.
- Iodine – IP over DNS tunneling.
- DNScat2 – Encrypted DNS command and control tunnel.
- Ptunnel – ICMP tunneling tool.
- Rclone – Cloud storage synchronization and transfer.
- Exfil – File exfiltration over multiple channels.
- Dropzone – Covert file transfer utility.
- MISP – Open threat intelligence sharing platform.
- OpenCTI – Cyber threat intelligence management.
- YARA – Pattern matching for malware detection.
- Sigma – Generic signature format for SIEM systems.
- Cortex – Observable analysis and response engine.
- TheHive – Security incident response platform.
- ThreatHunter Playbook – Threat hunting methodology and analytics.
- Maltego CE – Link analysis and OSINT platform.
- Security Onion – Threat hunting and network monitoring distro.
- GRR Rapid Response – Remote live forensics framework.
- Sysmon – System activity monitoring for Windows.
- Osquery – SQL-powered operating system instrumentation.
- Velociraptor – Advanced digital forensics and incident response.
- GRR Rapid Response – Remote live forensics platform.
- Elastic Endpoint – Endpoint detection and prevention.
- Wazuh – Open-source security monitoring and EDR.
- OSSEC – Host-based intrusion detection system.
- Falco – Runtime security for containers and cloud.
- Sysdig Secure – Container runtime security monitoring.
- Redline – Endpoint memory and behavioral analysis tool.
- Zeek – Network security monitoring platform.
- Suricata – High-performance IDS/IPS engine.
- Wireshark – Network protocol analyzer.
- Snort – Open-source intrusion detection system.
- Arkime – Large-scale packet capture and search.
- ntopng – Network traffic analysis and monitoring.
- NetworkMiner – Network forensic analysis tool.
- Brim – Desktop network traffic analysis.
- tcpdump – Command-line packet analyzer.
- Corelight – Enterprise Zeek-based network detection.
- Volatility – Advanced memory forensics framework.
- Volatility3 – Modern memory analysis platform.
- Rekall – Memory forensic framework.
- WinPmem – Windows memory acquisition.
- LiME – Linux memory extractor.
- Redline – Memory analysis and threat detection.
- Memoryze – Malware memory analysis.
- DumpIt – Memory acquisition utility.
- Belkasoft RAM Capturer – Live RAM capture tool.
- Magnet RAM Capture – Free memory capture utility.
- Ghidra – Software reverse engineering suite.
- IDA Free – Interactive disassembler and debugger.
- Cutter – GUI reverse engineering platform.
- Radare2 – Reverse engineering framework.
- Cuckoo Sandbox – Automated malware analysis.
- CAPE Sandbox – Malware configuration extraction.
- Any.Run – Interactive online malware sandbox.
- Hybrid Analysis – Online malware analysis platform.
- PE-sieve – Detect injected malware in processes.
- x64dbg – Open-source Windows debugger.
- Wazuh – Open-source SIEM and EDR platform.
- Elastic Security – Open-source endpoint and SIEM.
- OSQuery Fleet – Device fleet monitoring and endpoint visibility.
- CrowdStrike Falcon – Cloud-native endpoint protection.
- Microsoft Defender for Endpoint – Enterprise endpoint security.
- SentinelOne – Autonomous AI endpoint protection.
- Sophos Intercept X – Advanced endpoint defense.
- Bitdefender GravityZone – Endpoint protection platform.
- Trend Micro Apex One – Endpoint detection and response.
- Kaspersky Endpoint Security – Enterprise endpoint protection.
- MISP – Open threat intelligence sharing platform.
- OpenCTI – Cyber threat intelligence management.
- ThreatConnect – Threat intelligence operations platform.
- Anomali – Threat intelligence and analytics.
- Recorded Future – Real-time threat intelligence.
- IBM X-Force Exchange – Threat intelligence sharing.
- AlienVault OTX – Open threat intelligence community.
- VirusTotal Intelligence – Malware intelligence and analysis.
- GreyNoise – Internet background noise intelligence.
- MalwareBazaar – Malware sample sharing platform.
- Kali Linux – Penetration testing and security auditing distribution.
- Parrot Security OS – Security-focused GNU/Linux distribution.
- BlackArch – Arch Linux based penetration testing distro.
- REMnux – Linux toolkit for reverse engineering and malware analysis.
- Flare VM – Windows malware analysis environment.
- SIFT Workstation – Digital forensics and incident response distro.
- Tsurugi Linux – DFIR and OSINT focused Linux distribution.
- CAINE – Computer Aided Investigative Environment.
- BackBox – Ubuntu-based security distribution.
- Security Onion – Network security monitoring OS.
- APT Simulator – Windows batch script simulating APT activities.
- Red Team Automation – Scripts to simulate attacker techniques.
- PurpleSharp – C# adversary simulation tool.
- Atomic Red Team – Portable atomic security tests.
- Invoke-AtomicRedTeam – PowerShell runner for Atomic tests.
- DetectionLab – Prebuilt blue team lab environment.
- Threat Hunter Playbook Labs – Hunting lab scenarios.
- Security Blue Team Toolkit – Defensive security tool collection.
- Red Team Field Manual – Red team reference toolkit.
- Blue Team Handbook Tools – Blue team tool references.
- MITRE ATT&CK Training – Official ATT&CK learning resources.
- Cybrary – Security training platform.
- SANS SEC565 – Red team adversary emulation course.
- SANS SEC504 – Incident handling course.
- Coursera Cybersecurity – University security courses.
- edX Cybersecurity – Academic cybersecurity programs.
- OpenSecurityTraining – Free low-level security training.
- PentesterLab – Hands-on penetration testing labs.
- Hack The Box Academy – Structured security training.
- TryHackMe – Beginner-friendly security learning platform.
- DetectionLab – Vagrant based security lab.
- Security Onion Lab – Blue team monitoring lab.
- AD Security Lab – Active Directory attack/defense lab.
- Modern Windows Attacks Lab – Windows attack scenarios.
- Purple Team Lab – Attack and detection lab.
- Malware Traffic Analysis Lab – Packet analysis exercises.
- Red Team Toolkit Lab – Offensive lab tools.
- Blue Team Labs Online – DFIR and detection practice.
- RangeForce Community Edition – Security training simulator.
- CyberDefenders – Blue team challenge labs.
- MITRE ATT&CK – Adversary tactics and techniques knowledge base.
- Mandiant Threat Intelligence – APT reports and research.
- CrowdStrike Blog – Threat intelligence articles.
- Kaspersky Securelist – Malware and APT analysis.
- The DFIR Report – Incident response case studies.
- Red Canary Blog – Threat detection research.
- FireEye Blog – Advanced threat research.
- Unit 42 – Palo Alto threat intelligence.
- Talos Intelligence – Cisco threat research.
- BleepingComputer – Security news and incident coverage.
- APT Notes – Collection of public APT reports.
- Malpedia – Malware encyclopedia.
- Threat Actor Encyclopedia – Adversary group database.
- VirusTotal – Malware scanning and intelligence.
- Hybrid Analysis – Malware behavior database.
- Exploit Database – Public exploit archive.
- CVE Details – Vulnerability database.
- NVD – National vulnerability database.
- OWASP – Web security knowledge base.
- Security Wiki – General security knowledge.
- Mandiant M-Trends – Annual global cyber threat and incident response report.
- CrowdStrike Global Threat Report – Yearly adversary and intrusion trends analysis.
- Microsoft Digital Defense Report – Global cybercrime and nation-state threat overview.
- Cisco Talos Annual Threat Report – Enterprise threat intelligence insights.
- IBM X-Force Threat Intelligence Index – Global attack statistics and threat patterns.
- Kaspersky Security Bulletin – Malware and APT yearly analysis.
- Palo Alto Unit 42 Threat Reports – Nation-state and targeted attack studies.
- ESET Threat Report – Quarterly and annual malware/APT trends.
- Trend Micro Annual Cybersecurity Report – Global enterprise threat landscape.
- Sophos Threat Report – Enterprise defense and attack evolution analysis.
- FireEye Mandiant Threat Intelligence Reports – In-depth targeted attack and APT group analysis reports.
- Kaspersky Threat Intelligence Reports – APT campaigns, malware trends, and strategic threat analysis.
- Symantec (Broadcom) Threat Intelligence – Global threat activity and APT research publications.
- Recorded Future Threat Intelligence Reports – Nation-state actor tracking and campaign analysis.
- Google Threat Analysis Group (TAG) – Advanced persistent threat investigations and security disclosures.
- CERT/CC Vulnerability Notes & Reports – Coordinated vulnerability disclosures and incident reports.
- CISA / US-CERT Advisories – Critical infrastructure alerts and APT-related advisories.
- Dragonfly (Energetic Bear) Case Study – Unit42 – Detailed analysis of the Dragonfly APT group operations.
- APT29 (Cozy Bear) Analysis – Securelist – Behavioral and operational analysis of APT29 campaigns.
- Operation Aurora Technical Analysis – Google – Historical deep dive into the Operation Aurora intrusion campaign.
- BlackBerry Cylance Threat Research – Threat research, malware behavior studies, and adversary techniques.
- Palo Alto Networks Unit 42 Blog – Advanced threat intelligence and malware reverse-engineering reports.
- Cisco Talos Intelligence Blog – Attack trend monitoring and technical breakdowns.
- Kaspersky Securelist Technical Reports – Malware deep dives and APT campaign investigations.
- SANS Internet Storm Center – Daily security event analysis and emerging threat monitoring.
- Red Canary Threat Detection Reports – Detection strategies and real-world incident case studies.
- IEEE Xplore – Cybersecurity Papers – Large collection of peer-reviewed cybersecurity and threat research papers.
- ACM Digital Library – Security & Privacy – Academic publications on computer security and privacy.
- USENIX Security Symposium Papers – Top-tier security research conference papers.
- NDSS Symposium Papers – Network and Distributed System Security research.
- arXiv – Cryptography and Security – Open access preprints on security research.
- Google Scholar – APT Research – Academic search engine for threat and APT studies.
- ResearchGate – Cybersecurity – Research sharing platform for academic papers.
- Springer – Computer Security – Books and journals on information security.
- Elsevier – Computers & Security Journal – Peer-reviewed journal on cybersecurity.
- IACR ePrint Archive – Cryptography and applied security research archive.
- CISA Cybersecurity Advisories – Official U.S. government vulnerability and threat advisories.
- NCSC UK Reports – UK National Cyber Security Centre threat and incident reports.
- ENISA Threat Landscape – European Union cybersecurity threat landscape analysis.
- CERT-EU Security Advisories – EU institutional incident and vulnerability advisories.
- JPCERT/CC Reports – Japanese incident response and threat analysis publications.
- ANSSI Publications – French national cybersecurity agency reports.
- Australian Cyber Security Centre (ACSC) – National cyber threat and incident reports.
- NIST Computer Security Publications – U.S. standards, frameworks, and security guidelines.
- Canadian Centre for Cyber Security – National alerts, advisories, and research.
- Singapore CSA Reports – National cybersecurity advisories and annual reviews.
- VirusTotal Public Datasets – Malware samples, hashes, and behavioral intelligence.
- MalwareBazaar – Public malware sample sharing platform.
- Abuse.ch Threat Feeds – IOC feeds including URLhaus, SSLBL, and Feodo Tracker.
- AlienVault OTX Pulses – Community-driven threat intelligence pulses and indicators.
- GreyNoise Intelligence – Internet background noise and scanner activity data.
- Shodan – Internet-connected device intelligence and exposure data.
- Censys – Internet-wide scanning datasets and certificates.
- The Zoo Malware Repository – Open malware sample repository for research.
- Open Threat Exchange API – Programmatic access to threat indicators.
- CIRCL Passive DNS – Passive DNS historical datasets.
- Original Security Research Papers – In-depth vulnerability analysis, exploit chains, and defensive methodologies authored by the repository owner.
- Automation Toolkits – Custom penetration testing scripts, scanners, and workflow automation utilities.
- Red / Blue Team Playbooks – Tactical guides for attack simulation and defense response.
- CTF Practice Labs – Self-built vulnerable environments with walkthroughs and solution write-ups.
- Code Audit Checklists – Practical auditing standards, secure coding references, and real-world case studies.
- Security Framework Templates – Policy, compliance, and governance document templates for organizations.
- AI-Assisted Security Tools – Experimental ML / AI models for anomaly detection, log analysis, and threat prediction.
- Plugin & Extension Ecosystem – Community-driven add-ons and integrations expanding core tools.
- API & SDK Access – Programmable interfaces for automation, data retrieval, and third-party integrations.
- Private Research Notes – Exclusive technical notes, exploit PoCs, and methodology breakdowns.
- Enterprise Training Programs – Structured corporate cybersecurity courses and customized learning paths.
- Certification Paths – Skill verification systems and internal certification standards.
- Consulting & Technical Support – Direct expert assistance and long-term advisory services.
- Private Knowledge Base – Members-only advanced materials, toolkits, and premium guides.
- Security Tool Licensing – Commercial licensing for proprietary scanners and frameworks.
- Bug Bounty Collaboration Hub – Organized vulnerability research and coordinated disclosure channels.
- Research Sponsorship Opportunities – Funded research topics and partnership initiatives.
- Contribution Reward System – Incentive mechanisms for active contributors and maintainers.
- Monthly Security Reports – Trend summaries, vulnerability statistics, and threat landscape analysis.
- Discussion Forum / Discord / Telegram – Centralized communication platforms for collaboration.
- Contributor Leaderboard – Public recognition and ranking of top contributors.
- Events & Workshops – Online webinars, offline meetups, and technical workshops.
- Newsletter Subscription – Periodic curated updates, announcements, and featured research.
- Community Challenges – Regular technical challenges and mini-CTF events.
- Open Governance Board – Transparent decision-making structure for community direction.
- Mentorship Program – Guidance channels connecting beginners with experienced researchers.
CC0