A practical, catalog of security tools for students, red/blue teams, and builders. Focus is on widely used, well-maintained, and actually useful software across recon, web/API, cloud, containers, AD, DFIR, and more.
Format inspired by the structure and navigation style of my AI list. This one is tuned for security workflows and fast lookup.
Legal and ethical notice: Use these tools only on systems you own or are explicitly authorized to test. Many are dual-use. If you donβt have written permission, donβt touch it. This repository is intended for educational and authorized professional use only. The tools and resources listed here are for learning, security testing, and defensive research in controlled environments.
Use your browserβs find (Ctrl+F or Cmd+F) or jump via the table:
| Category | Whatβs in it |
|---|---|
| Core / Must-Know | Baseline tooling every security practitioner should know |
| Recon & Asset Discovery | Discovery, subdomains, screenshots, tech ο¬ngerprints |
| Port Scanning & Enumeration | Fast/precise scanning, service probing |
| Web App Testing | Proxies, fuzzers, SQLi/XSS/dir brute, parameter miners |
| API Security | REST/gRPC fuzzers, schema-based testing |
| CMS & Framework Scanners | WordPress, Drupal, Joomla, general CMS |
| Cloud Security | AWS/Azure/GCP posture, IAM hunting, S3 checks |
| Containers & Kubernetes | Image scanning, runtime defense, CIS checks |
| IaC, SBOM & Dependency Risk | Terraform checks, SCA, SBOM generation |
| Secrets Detection | Git and filesystem secrets finders |
| Active Directory & Windows | Enumeration, LLMNR/NTLM, ADCS, privesc |
| Network, Traffic & MITM | NIDS, packet capture, dissecting, interception |
| Wireless & Bluetooth | 802.11 capture/attacks, WPA/PMKID, BLE |
| Mobile Security | Android/iOS reversing, instrumentation |
| Reverse Engineering & Binary | Disassemblers, debuggers, symbolic exec |
| Fuzzing | AFL-class fuzzers, API fuzzers |
| Credentials, Cracking & Wordlists | Hashcat/JtR, spray/bruteforce, lists |
| OSINT & Threat Intel | Footprinting, TI platforms, hunting |
| Phishing & Social | Campaign frameworks, kits (defensive research use only) |
| C2 & Post-Exploitation | Open C2, operators, pivoting |
| Vuln Scanning & Management | Network/web scanners, template engines |
| DFIR & Forensics | Memory, disk, Windows triage, timelines |
| Tunneling, Pivoting & Relays | Socks/HTTP tunnels, relay tools |
| Helper Utilities | CLI helpers that save time |
| Hardware, RF & OT Pentest Tools | Flipper/Proxmark/SDR, embedded/JTAG, Hak5/O.MG |
| Books (Beginner β Advanced) | Curated reading path: foundations, web, RE, DFIR |
| Certifications | Entry, offensive, blue team, cloud, governance/privacy |
| Hands-On Training Platforms | TryHackMe/HTB, PortSwigger, OSINT/DFIR ranges |
| Courses & Structured Programs | Free academic, vendor programs, guided tracks |
| Compliance | ISO/NIST/CIS/GDPR/NIS2/DORA, tools, policy-as-code |
- [F] = Free/Open Source, [C] = Commercial or paid tier available
- OS tags: [Linux] [macOS] [Windows]
- Short on fluff. If you need deep docs, click through.
- Nmap [F] [Linux macOS Windows] β Network scanner, service/version scripts (NSE).
- Wireshark [F] [Linux macOS Windows] β Packet capture and protocol analysis.
- Burp Suite [F/C] [Linux macOS Windows] β Web proxy, repeater, intruder, extensible.
- OWASP ZAP [F] [Linux macOS Windows] β Web proxy/DAST alternative to Burp.
- Metasploit Framework [F] [Linux macOS Windows] β Exploitation framework and post-exploitation.
- OpenVAS / Greenbone [F] [Linux] β Network vuln scanning.
- ffuf [F] [Linux macOS Windows] β Fast web fuzzer for dirs/params/vhosts.
- sqlmap [F] [Linux macOS Windows] β Automated SQL injection/dumping.
- Hashcat [F] [Linux macOS Windows] β GPU/CPU password cracking.
- John the Ripper Jumbo [F] [Linux macOS Windows] β Password/cracking suite.
- Amass [F] β Subdomain enum via multiple sources and graphing.
- Subfinder [F] β Passive subdomain discovery.
- Assetfinder [F] β Find subdomains via public sources.
- httpx [F] β Fast HTTP probing with metadata.
- Nuclei [F] β Template-based vuln checks; pair with
httpx. - Naabu [F] β Fast port scanner (SYN).
- dnsx [F] β DNS toolkit (resolve/brute/certs).
- Aquatone [F] β Site screenshots by domain.
- gowitness [F] β Fast headless browser screenshots.
- theHarvester [F] β Emails, names, subdomains from search engines.
- Shodan CLI [F/C] β Shodan search from terminal.
- Censys CLI [F/C] β Censys lookups.
- masscan [F] β Very fast Internet-scale scanner.
- rustscan [F] β Rapid scanner that feeds into Nmap.
- zmap [F] β Single-probe Internet scanner.
- unicornscan [F] β Legacy but still useful for odd cases.
- Netcat / ncat [F] β Swiss-army knife for TCP/UDP.
- Burp Suite [F/C] β Intercept, modify, extend (BApp Store).
- OWASP ZAP [F] β Good automation and HUD for learning.
- ffuf [F] β Directory/parameter/vhost fuzzing.
- dirsearch [F] β Classic content discovery.
- wfuzz [F] β Flexible web fuzzing.
- Arjun [F] β Hidden parameter discovery.
- ParamSpider [F] β Parameter harvesting from URLs.
- dalfox [F] β XSS scanning with smart injection points.
- XSStrike [F] β XSS detection and exploitation.
- tplmap [F] β Server-Side Template Injection checks.
- Nikto [F] β Legacy but still useful web scanner.
- RESTler [F] β Smart REST API fuzzing from Swagger/OpenAPI.
- Schemathesis [F] β Property-based testing for APIs from schemas.
- kiterunner [F] β API route discovery.
- grpcurl [F] β gRPC probing.
- mitmproxy [F] β Intercept TLS traffic; scripts for API testing.
- WPScan [F/C] β WordPress enumeration and vuln checks.
- droopescan [F] β Drupal/Joomla/CouchCMS checks.
- joomscan [F] β Joomla scanner.
- Prowler [F] β AWS/Azure/GCP security benchmarking.
- ScoutSuite [F] β Multi-cloud posture assessment.
- CloudQuery [F] β Cloud inventory to SQL for queries.
- CloudSploit [F] β Cloud configuration checks.
- Pacu [F] β AWS exploitation framework (authorized research).
- cloudfox [F] β CLI to find cloud attack paths.
- S3Scanner [F] β Public S3 bucket discovery.
- enumerate-iam [F] β IAM policy analysis.
- Trivy [F] β Image/filesystem/Repo/IaC scanning.
- Grype [F] β SBOM-driven image vulnerability scanning.
- Syft [F] β SBOM generation (SPDX/CycloneDX).
- kube-hunter [F] β K8s attack surface discovery.
- kube-bench [F] β CIS K8s benchmarks.
- Kubescape [F] β K8s posture and compliance.
- Popeye [F] β K8s cluster sanitizer.
- Falco [F] β Runtime threat detection via eBPF.
- Dockle [F] β Docker image linting.
- Clair [F] β Image vulnerability analysis.
- tfsec [F] β Terraform static analysis.
- Checkov [F] β IaC scanning (Terraform, K8s, Cloud).
- Terrascan [F] β Policy-as-code for IaC.
- Semgrep [F] β Code scanning with community rules (supports IaC).
- OWASP Dependency-Check [F] β Java/.NET/others dependency CVEs.
- CycloneDX CLI [F] β SBOM utilities.
- gitleaks [F] β Git secrets detection.
- trufflehog [F] β Secrets in repos, files, and APIs.
- git-secrets [F] β Prevent committing secrets.
- detect-secrets [F] β Pluggable pre-commit secrets scanner.
- ggshield [F/C] β CLI with GitGuardian detectors.
- BloodHound [F] β AD attack path graphing.
- SharpHound [F] β AD data collector.
- Impacket [F] β SMB/RPC/LDAP tooling (psexec, wmiexec, ntlmrelayx).
- Responder [F] β LLMNR/NBNS poisoning.
- mitm6 [F] β IPv6 DNS takeover in AD.
- Rubeus [F] β Kerberos abuse (authorized research).
- Certipy [F] β AD CS abuse and enumeration.
- Coercer [F] β Force auth via RPC.
- PetitPotam [F] β EfsRpc relay research.
- CrackMapExec [F] β Lateral movement swiss-army knife.
- WinPEAS / LinPEAS [F] β Local privesc checks.
- Seatbelt [F] β Windows triage enumeration.
- PowerView / PowerUp [F] β AD recon and privesc.
- ldapdomaindump [F] β Dump AD info via LDAP.
- Zeek [F] β Network security monitoring.
- Suricata [F] β IDS/IPS with rulesets.
- Snort 3 [F] β IDS/IPS engine.
- Arkime (Moloch) [F] β Full-packet capture and indexing.
- Security Onion [F] β NSM distro (Zeek/Suricata/Wazuh).
- mitmproxy [F] β Interactive TLS proxy with scripting.
- bettercap [F] β MITM framework and network recon.
- tcpdump / tshark [F] β CLI packet capture.
- Aircrack-ng [F] β 802.11 capture and key cracking.
- hcxdumptool / hcxpcapngtool [F] β PMKID/handshake harvesting and conversion.
- kismet [F] β Wireless IDS and surveys.
- reaver [F] β WPS attacks (legacy).
- wifite2 [F] β Automated Wi-Fi attack orchestration.
- mdk4 [F] β 802.11 stress/attack testing.
- BlueZ [F] β Linux Bluetooth stack tools.
- btlejack [F] β BLE sniffing with cheap hardware.
- MobSF [F] β Mobile static/dynamic analysis.
- Frida [F] β Dynamic instrumentation.
- Objection [F] β Runtime mobile exploration (Frida-based).
- jadx [F] β Android decompiler.
- apktool [F] β APK decode/rebuild.
- drozer [F] β Android security assessment (older but useful).
- Xcode / Android Studio [F] β Official toolchains and emulators.
- Ghidra [F] β Full suite reverse engineering.
- Radare2 / Cutter [F] β Disassembler/debugger with GUI.
- Binary Ninja [C] β Fast reversing with APIs.
- IDA Pro [C] β Industry-standard disassembler/debugger.
- x64dbg [F] β Windows debugging.
- angr [F] β Binary analysis with symbolic execution.
- pwndbg [F] β Enhanced GDB for pwn.
- AFL++ [F] β Modernized AFL fork.
- libFuzzer [F] β In-process coverage-guided fuzzing (LLVM).
- Honggfuzz [F] β General-purpose fuzzer.
- boofuzz [F] β Network protocol fuzzing (Sulley successor).
- RESTler [F] β API fuzzing from schemas (listed above too).
- Hashcat [F] β GPU/CPU cracking with rule/mask/PRINCE.
- John the Ripper Jumbo [F] β CPU cracking and formats.
- Hydra [F] β Network login bruteforcing.
- Medusa [F] β Parallel login brute-forcer.
- patator [F] β Flexible brute-forcer/sprayer.
- hashid [F] β Identify hash types.
- cewl [F] β Custom wordlist generator from sites.
- crunch [F] β Wordlist generator.
- hashcat-utils [F] β Rule helpers and transforms.
- SecLists [F] β Wordlists for fuzzing, creds, payloads.
- Probable-Wordlists [F] β Frequency-based lists.
- SpiderFoot [F] β Automated OSINT.
- Maltego CE [F/C] β Graph OSINT with transforms.
- Recon-ng [F] β OSINT framework.
- GHunt [F] β Google OSINT.
- Photon [F] β Fast crawler for intel.
- MISP [F] β Threat intel platform for IOCs.
- OpenCTI [F] β Threat intel knowledge base.
Research and defense testing only, with explicit authorization.
- Gophish [F] β Phishing framework for training/testing.
- King Phisher [F] β Flexible phishing campaigns.
- Evilginx2 [F] β Adversary-in-the-middle framework for auth research.
- Modlishka [F] β Reverse proxy for login flows (research).
Operate only in lab or with written authorization. Many tools are detected by EDR by default.
- Sliver [F] β Open C2 framework.
- Mythic [F] β Plugin-based C2 with multiple agents.
- Havoc [F] β Modern C2.
- Covenant [F] β .NET C2 framework.
- Empire (BC-Security) [F] β PowerShell/C# post-exploitation.
- PoshC2 [F] β PowerShell C2.
- Merlin [F] β Cross-platform agent over HTTP/2.
- Quasar [F] β Windows remote admin (research).
- OpenVAS / Greenbone [F] β Infrastructure scanning.
- Nessus [C] β Widely used network scanner.
- Nuclei [F] β Template-based checks at scale.
- Nikto [F] β Legacy web scanner for quick wins.
- Dependency-Check [F] β SCA for libraries.
- Trivy / Grype β SCA and container scanning (see above).
- Volatility 3 [F] β Memory forensics.
- Autopsy / Sleuth Kit [F] β Disk forensics GUI.
- Velociraptor [F] β Endpoint visibility and DFIR.
- KAPE [F] β Targeted triage collection (Windows).
- plaso / log2timeline [F] β Timeline generation.
- Timesketch [F] β Collaborative timeline analysis.
- Eric Zimmerman Tools [F] β Windows artifact analysis.
- YARA [F] β Pattern matching for malware hunting.
- Sigma + tools [F] β Generic SIEM rules and converters.
- Bulk Extractor [F] β Feature extraction at scale.
- TestDisk / PhotoRec [F] β Recovery of lost files/partitions.
- chisel [F] β TCP/UDP over HTTP tunneling.
- ligolo-ng [F] β Reverse tunneling/proxy.
- frp [F] β Fast reverse proxy.
- sshuttle [F] β Poor manβs VPN over SSH.
- socat [F] β Bidirectional relay swiss-army knife.
- rinetd [F] β Simple TCP redirection.
- ripgrep β Fast grep replacement.
- fzf β Fuzzy finder in terminal.
- bat β Better
catwith syntax highlight. - jq / yq β JSON/YAML processing.
- httpie β Human-friendly HTTP client.
- pv β Pipe progress meter.
Legal/ethical: use only on systems you own or have written authorization to test.
- Flipper Zero β Portable multi-tool for sub-GHz, NFC/RFID, IR, GPIO, BLE apps; large open ecosystem.
https://flipperzero.one - Proxmark3 RDV4 β High-end LF/HF RFID research (read/write/snoop/replay/emulate); de-facto standard.
https://proxmark.com - ChameleonMini/ChameleonUltra β HF RFID emulator for MIFARE/ISO14443; fast clone/replay labs.
https://github.com/emsec/ChameleonMini Β· https://chameleonultra.com - HackRF One β 1 MHzβ6 GHz SDR transceiver for capture/replay, modulation experiments.
https://greatscottgadgets.com/hackrf/one - LimeSDR (USB/Mini) β Full-duplex SDR (broadband TX/RX); LTE/LoRa/Zigbee/GSM research.
https://myriadrf.org/projects/limesdr - RTL-SDR Blog V3 β Ultra-low-cost SDR receiver; spectrum survey, ADS-B, trunking monitoring.
https://www.rtl-sdr.com - Yard Stick One β Sub-1 GHz digital RF transceiver for ISM/OOK/FSK labs.
https://greatscottgadgets.com/yardstickone - Ubertooth One β Open 2.4 GHz/Bluetooth research; still useful for BLE labs if you have one.
https://greatscottgadgets.com/ubertoothone - Crazyradio PA β 2.4 GHz NRF24LU1+ transceiver; wireless peripheral protocol tinkering.
https://www.bitcraze.io/products/crazyradio-pa - Nordic nRF Sniffer (BLE) β Real-time BLE capture/debug using nRF dev boards.
https://www.nordicsemi.com/Products/Development-tools/nRF-Sniffer-for-Bluetooth-LE - GreatFET One β General-purpose USB hardware hacking (IΒ²C/SPI/UART/JTAG, signal tools).
https://greatscottgadgets.com/greatfet/one - Bus Pirate β Multi-bus interface for IΒ²C/SPI/UART/1-Wire sniffing and bring-up.
http://dangerousprototypes.com/docs/Bus_Pirate - JTAGulator β Finds JTAG/UART pins on unknown PCBs; speeds embedded analysis.
https://www.grandideastudio.com/jtagulator - ChipWhisperer-Lite/Pro β Side-channel + fault-injection (DPA/glitch) research platform.
https://www.newae.com/products/chipwhisperer - Saleae Logic (8/16/Pro) β Logic analyzers with rich protocol decode; gold-standard UX.
https://www.saleae.com - sigrok + PulseView β Open protocol decoding suite + GUI for many analyzers.
https://sigrok.org - Hak5 USB Rubber Ducky β Keystroke-injection for payload/EDR testing; DuckyScript 3.0.
https://shop.hak5.org/products/usb-rubber-ducky - Hak5 WiFi Pineapple β Wireless assessment platform (rogue AP, client probing, WPA workflows).
https://shop.hak5.org/products/wifi-pineapple - Hak5 LAN Turtle β Inline implant for remote access/MiTM in controlled engagements.
https://shop.hak5.org/products/lan-turtle - O.MG Cable / O.MG Plug β Covert red-team implants for realistic USB attack simulation.
https://o.mg.lol
- Cybersecurity First Principles β Simple models, threat/defense basics (good for true beginners).
https://firstprinciples.uscyberpatriot.org - The Basics of Hacking and Penetration Testing (2e) β P. Engebretson β Lab-driven intro to tooling and method.
https://www.elsevier.com/books/the-basics-of-hacking-and-penetration-testing/engebretson/978-0-12-411644-3 - CompTIA Security+ Study Guide (SY0-701) β Solid baseline for vocabulary and exam mapping.
https://www.comptia.org/certifications/security
- Security Engineering (3e) β Ross Anderson β Design, threat models, protocol failures, economics.
https://www.cl.cam.ac.uk/~rja14/book.html - Serious Cryptography (2e) β JP Aumasson β Modern crypto for engineers (AEAD, ECC, protocols).
https://nostarch.com/serious-cryptography-second-edition - Real-World Cryptography β David Wong β Pragmatic crypto, modern protocols, ZK basics.
https://www.manning.com/books/real-world-cryptography - The Practice of Network Security Monitoring β R. Bejtlich β NSM mindset, tools, and workflows.
https://nostarch.com/nsm - Building Secure & Reliable Systems β Google β Free; risk, reliability, and security at scale.
https://sre.google/books/building-secure-and-reliable-systems/
- Practical Packet Analysis (3e) β Chris Sanders β Wireshark/TShark workflows.
https://nostarch.com/packetanalysis3 - Windows Internals (7e, Part 1 & 2) β Core OS internals for detection/DFIR depth.
https://learn.microsoft.com/sysinternals/resources/windows-internals - Linux Hardening in Hostile Networks β K. Fox β Practical hardening for real machines.
https://nostarch.com/linuxhardening
- The Web Application Hackerβs Handbook (2e) β Stuttard & Pinto β Methodical web testing.
https://www.wiley.com/en-us/The+Web+Application+Hacker%27s+Handbook%2C+2nd+Edition-p-9781118026472 - The Tangled Web β M. Zalewski β Browser/web platform security internals.
https://nostarch.com/tangledweb - API Security in Action β N. Mykyta β Practical API threats and defenses.
https://www.manning.com/books/api-security-in-action
- The Ghidra Book (2e) β Eagle & Nance β RE workflows in Ghidra.
https://nostarch.com/ghidra2 - Practical Binary Analysis β Andriesse β Instrumentation, taint, lifting.
https://nostarch.com/binaryanalysis - Practical Malware Analysis β Sikorski & Honig β Classic malware triage/RE.
https://nostarch.com/malware - Black Hat Python (2e) β Seitz & Arnold β Offensive tooling patterns in Python 3.
https://nostarch.com/black-hat-python2 - The Art of Memory Forensics β Ligh et al. β Windows/Linux/OS X memory forensics.
https://www.wiley.com/en-us/The+Art+of+Memory+Forensics-p-9781118825099 - Practical Reverse Engineering β Dang et al. β Low-level Intel/ARM/RE patterns.
https://www.wiley.com/en-us/Practical+Reverse+Engineering-p-9781118787311
- Threat Modeling β Adam Shostack β Processes and patterns to design safer systems.
https://www.wiley.com/en-us/Threat+Modeling-p-9781118809990 - Secure by Design β Mosher, tendean, de Win β Design patterns to avoid whole classes of vulns.
https://www.manning.com/books/secure-by-design - Designing Data-Intensive Applications β Kleppmann β Consistency, fault tolerance, data flows that impact security.
https://dataintensive.net
- OWASP WSTG β End-to-end web testing methodology. https://owasp.org/www-project-web-security-testing-guide/
- OWASP ASVS β Web security requirements catalog. https://owasp.org/ASVS/
- NIST SP 800-115 β Technical security testing guide. https://csrc.nist.gov/publications/detail/sp/800-115/final
Get what your target role requires; hands-on > theory for pentest/DFIR roles.
- ISC2 CC (Certified in Cybersecurity) β Free training + low-cost exam; broad fundamentals. https://www.isc2.org/Certifications/CC
- CompTIA Security+ (SY0-701) β Common baseline for junior analyst/consultant. https://www.comptia.org/certifications/security
- eJPT v2 (INE/eLearnSecurity) β Practical junior pentest exam. https://ine.com/certifications/ejpt-certification
- OSCP / OSWE / OSEP (OffSec) β Network/web/EDR-aware offense; proctored labs. https://www.offsec.com
- PNPT (TCM Security) β Realistic AD-centric pentest with report & debrief. https://certifications.tcm-sec.com/pnpt/
- CRTO I/II (Zero-Point Security) β Cobalt Strike-based red team operator. https://www.zeropointsecurity.co.uk/courses
- eCPPT / eWPT / eWPTX (eLearnSecurity) β Web/app exploitation tracks. https://ine.com
- GPEN (SANS/GIAC) β Pentest methodology & tooling. https://www.giac.org/certifications/gpen/
- GCIH / GCIA / GMON / GCFA / GREM (GIAC) β Incidents, IDS, monitoring, forensics, malware. https://www.giac.org
- BTL1/BTL2 (Security Blue Team) β Practical SOC/blue-team labs & exams. https://www.securityblue.team
- SC-200 (Microsoft) β Security Operations Analyst (Defender/Sentinel). https://learn.microsoft.com/credentials/certifications/exams/sc-200/
- AWS Security β Specialty β Depth in AWS security. https://aws.amazon.com/certification/
- Azure AZ-500 / SC-100 β Security Engineer + Cybersecurity Architect Expert. https://learn.microsoft.com/credentials/
- Google Professional Cloud Security Engineer β GCP security design/ops. https://cloud.google.com/certification
- CKS (Kubernetes Security Specialist) β K8s defensive hardening. https://training.linuxfoundation.org/certification/certified-kubernetes-security-specialist-cks/
- CISSP (ISC2) β Broad management/architecture. https://www.isc2.org/certifications/cissp
- CISM / CISA (ISACA) β Management and audit tracks. https://www.isaca.org/credentialing
- CCSP (ISC2) β Cloud security architecture. https://www.isc2.org/certifications/ccsp
- IAPP CIPP/E / CIPM β GDPR/privacy and program management. https://iapp.org/certify/
- TryHackMe β Guided, browser-based labs; structured paths from beginner to intermediate. https://tryhackme.com
- Hack The Box β Challenge boxes, Pro Labs, Academy modules, CPTS/CWEs. https://www.hackthebox.com
- PortSwigger Web Security Academy β Best free interactive web labs with theory. https://portswigger.net/web-security
- OverTheWire β Classic wargames (Bandit, Narnia, Krypton). https://overthewire.org
- picoCTF β Beginner-friendly, CMU-run CTF platform. https://picoctf.org
- Root-Me β Large bank of web/crypto/reversing/forensics challenges. https://www.root-me.org
- CyberDefenders β Blue-team SOC/DFIR hunt labs with real data. https://cyberdefenders.org
- Blue Team Labs Online (BTLO) β Incident-style challenges for SOC analysts. https://securityblue.team/btlo
- LetsDefend β SOC simulator with alert triage/detection tasks. https://letsdefend.io
- RangeForce β Hands-on cyber skills platform (blue/red). https://www.rangeforce.com
- Immersive Labs β Enterprise hands-on labs (skills validation). https://www.immersivelabs.com
- VulnHub β Downloadable vulnerable VMs for local labs. https://www.vulnhub.com
- Malware Traffic Analysis β PCAP-centric IR investigations. https://www.malware-traffic-analysis.net
- Flare-On (archive) β Annual RE/malware challenge set. https://www.flare-on.com
- MIT 6.858 Computer Systems Security β Research-grade systems security (OCW).
https://ocw.mit.edu/courses/6-858-computer-systems-security-fall-2014/ - Stanford CS155 Computer & Network Security β Public materials & past lectures.
https://cs155.stanford.edu - OpenSecurityTraining & OST2 β Deep dives in RE, exploitation, CPU arch.
https://opensecuritytraining.info Β· https://ost2.fyi - Georgia Tech OMSCS (InfoSec) β Graduate-level content, open syllabi.
https://omscs.gatech.edu
- OffSec β Labs-first (PWK/OSCP, AWAE/OSWE, OSEP). https://www.offsec.com
- SANS / GIAC β Premium courses; maps directly to GIAC. https://www.sans.org
- HTB Academy β Modular courses + hands-on labs + certs. https://academy.hackthebox.com
- INE/eLearnSecurity β eJPT/eCPPT/eWPT tracks, cloud & blue team. https://ine.com
- PentesterLab β High-quality web vulns bootcamps (burp, auth, serialization, etc.). https://pentesterlab.com
- Coursera/edX Security Specializations β Google/IBM/Cisco intro paths (cheap on ramp).
https://www.coursera.org Β· https://www.edx.org
Goal: understand frameworks, map controls to real telemetry, automate evidence, and continuously monitor. EU-centric bits included (NIS2/GDPR/DORA).
- ISO/IEC 27001:2022 β ISMS certification standard; Annex A controls; pair with 27002:2022 for guidance.
https://www.iso.org/standard/27001 - NIST Cybersecurity Framework (CSF) 2.0 β High-level Identify-Protect-Detect-Respond-Recover functions; profiles/tiers.
https://www.nist.gov/cyberframework - NIST SP 800-53 Rev.5 β Catalog of security/privacy controls (US-centric but broadly referenced).
https://csrc.nist.gov/publications/sp - CIS Controls v8 β 18 prioritized safeguards + IG1/IG2/IG3 maturity.
https://www.cisecurity.org/controls - SOC 2 (AICPA TSC) β Trust Services Criteria (security, availability, processing integrity, confidentiality, privacy).
https://www.aicpa.org - PCI DSS v4.0 β Cardholder data security for merchants/service providers.
https://www.pcisecuritystandards.org - GDPR β EU data protection regulation (law; not a cert).
https://gdpr.eu - NIS2 Directive (EU) β Security of network & information systems; risk management & reporting for βessential/importantβ entities.
https://eur-lex.europa.eu - DORA (EU financial sector) β Digital Operational Resilience Act; ICT risk for financial entities.
https://finance.ec.europa.eu/dora - HIPAA Security Rule (US healthcare) β ePHI safeguards.
https://www.hhs.gov/hipaa - Kubernetes Hardening (NSA/CISA) β Practical K8s hardening guidanceβtie to CIS K8s Benchmarks.
https://www.cisa.gov/resources-tools
- Pick two frameworks: one management (ISO 27001 or NIST CSF) + one technical (CIS Controls or 800-53). Learn their structure and vocabulary.
- Scope & asset inventory: define boundaries; build an inventory (devices, apps, data flows, cloud accounts). Tools: osquery, Open-AudIT, CloudQuery.
- Risk management basics: simple risk register (asset, threat, likelihood, impact, control). Use ISO 27005 or NIST 800-30 as structure.
- Control mapping: create a control matrix mapping ISO 27001 Annex A β CIS Controls β NIST CSF. Keep it in Git (CSV/Markdown).
- Select policies: start with Acceptable Use, Access Control, Logging/Monitoring, Incident Response, Change Management, Secure Dev. Version them in Git; link each to controls in your matrix.
- Implement telemetry: enable logs & metrics that prove controls (e.g., MFA enforced, admin actions audited, EDR coverage %). Prefer Elastic/OSSEC(Wazuh)/Defender/Sentinel in labs.
- Evidence collection: automate screenshots, config exports, and queries (e.g., Azure AD sign-in risk policy, AWS Config conformance). Store in a timestamped evidence folder per control.
- Continuous control monitoring (CCM): pick 10 controls (MFA, patch SLAs, backups tested, encryption at rest, etc.). Automate daily checks with osquery, Wazuh, cloud configs, and IaC scanners.
- Internal audit & SOA: for ISO, maintain a Statement of Applicability; schedule internal audits; track corrective actions in an issue tracker (Jira/GitHub).
- Tabletop & incident drills: run 2β3 tabletop exercises (ransomware, credential compromise, lost laptop). Record lessons learned as evidence for governance clauses.
- eramba (Community Edition) β Open-source GRC (policies, risk, audits, compliance). https://www.eramba.org
- OpenControl / Compliance-Masonry β YAML-based control catalogs & docs (FedRAMP origins; still useful conceptually). https://open-control.org
- OSCAL (NIST) β Machine-readable security controls (XML/JSON/YAML) to model systems and assessments. https://pages.nist.gov/OSCAL/
- Documize / Git + Markdown β Lightweight policy repository with versioning; simple beats bloated.
- OpenSCAP + SCAP Security Guide (SSG) β Automated config scans & remediations for Linux/Windows; DISA/STIG/PCI/GDPR profiles.
https://www.open-scap.org Β· https://github.com/ComplianceAsCode/content - Lynis β Host auditing for Unix/Linux; good for baseline hardening. https://cisofy.com/lynis/
- CIS-CAT Lite β Free scanner for CIS Benchmarks (subset of Pro). https://www.cisecurity.org/cis-cat-lite
- Prowler β AWS/Azure/GCP security & compliance checks (CIS, NIST, ISO mappings). https://github.com/prowler-cloud/prowler
- ScoutSuite β Multi-cloud posture assessment. https://github.com/nccgroup/ScoutSuite
- CloudSploit (Aqua) β Cloud config checks (CIS). https://github.com/aquasecurity/cloudsploit
- Steampipe + Mods β Query clouds/SaaS with SQL; ready-made compliance dashboards. https://steampipe.io
- kube-bench β CIS Kubernetes Benchmark checks. https://github.com/aquasecurity/kube-bench
- Kubescape β K8s posture/compliance incl. NSA/CISA hardening. https://github.com/kubescape/kubescape
- Open Policy Agent (OPA) / Gatekeeper β Rego policies for K8s admission & CI checks. https://www.openpolicyagent.org
- Kyverno β Native K8s policy engine with rich policy packs. https://kyverno.io
- Conftest β Test structured configs (YAML/JSON/HCL) with OPA/Rego in CI. https://www.conftest.dev
- Checkov β IaC static analysis (Terraform/K8s/Cloud/CloudFormation). https://www.checkov.io
- tfsec β Terraform static analysis (now part of Trivy). https://github.com/aquasecurity/tfsec
- Regula β Policy-as-code for Terraform/Cloud; maps to CIS/NIST (Fugue/Snyk). https://github.com/fugue/regula
- Terrascan β IaC security and compliance scanning. https://github.com/tenable/terrascan
- OPA Gatekeeper Library β Prebuilt constraint templates/policies. https://github.com/open-policy-agent/gatekeeper-library
- osquery β SQL over system state; schedule compliance queries (disk encryption, firewall, admin users). https://osquery.io
- Wazuh β Open-source SIEM/XDR with PCI/HIPAA rules, FIM, CIS checks. https://wazuh.com
- Elastic Security (ELK) β SIEM & detection; map rules to MITRE & compliance. https://www.elastic.co/security
- Microsoft Defender + Sentinel β If youβre in Azure/M365 (student-friendly lab licenses exist). https://learn.microsoft.com/azure/sentinel/
- AWS: Organizations, Control Tower, Config, Security Hub, Audit Manager, Macie, GuardDuty. https://aws.amazon.com/security
- Azure: Policy, Defender for Cloud, Purview (data governance), Blueprints. https://azure.microsoft.com
- Google Cloud: Security Command Center, Policy Controller (OPA Gatekeeper), Cloud Asset Inventory. https://cloud.google.com/security
- Kubernetes: Admission controls + PSP replacements (OPA/Kyverno), CIS Benchmark via kube-bench.
- GDPR text + EDPB guidelines β Interpretations for DPIA, DPO, consent, transfers. https://edpb.europa.eu
- IAPP β Solid primers and mappings (CIPP/E). https://iapp.org
- Policy Starter Kits β SANS Security Policy Templates; CIS sample policies.
https://www.sans.org/information-security-policy/ Β· https://www.cisecurity.org/insights/white-papers - Incident Response β NCSC-UK IR guidance & playbooks; CISA tabletop templates.
https://www.ncsc.gov.uk/collection/incident-management Β· https://www.cisa.gov - Risk Register & SoA β Keep simple CSV/Markdown in Git; link each row to evidence and control IDs.
- Scope a small lab (laptop, Kali VM, Windows VM, small cloud account).
- Create a lightweight ISMS folder: Policies/, RiskRegister.csv, Assets.csv, ControlMatrix.csv, Evidence/.
- Enforce MFA, BitLocker/FileVault, baseline firewall, auto-patch, EDR.
- Enable central logging (Wazuh/Elastic), document retention.
- Run Lynis/OpenSCAP on hosts; Prowler/ScoutSuite on cloud; kube-bench if you use K8s.
- Monthly: audit users/admins, key rotation, backup restore test, tabletop IR scenario.