π A curated list of awesome resources for security research:
vulnerability discovery, exploit development, reversing, containers, Kubernetes, and more.
- π₯ β Highly recommended / must-watch
- π΅ β Paid or has a paid tier
If you're new to security research:
- Start with a few talks from Talks & Videos (marked π₯).
- Pick a domain (Web, Windows, Kubernetes, etc.) and read through the matching section in Articles.md.
- Choose 1β2 tools from Tools in that domain and actually use them on a test target or lab.
- Repeat in cycles: Watch β Read β Experiment β Take notes.
A curated collection of vulnerability research articles and blog posts.
β‘οΈ See the full list here: articles.md
- DEF CON 33 - HTTP 1 1 Must Die! The Desync Endgame - James 'albinowax' Kettle (π₯) by James Kettle, Oct 11 2025
- Splitting the Email Atom: Exploiting Parsers to Bypass Access Controls (π₯π₯) by Gareth Heyes, March 3, 2025
- BingBang: Hacking Bing.com (and much more) with Azure Active Directory (π₯π₯) by Hillai Ben-Sasson (Wiz), Feb 20, 2024
- mTLS: When Certificate Authentication is Done Wrong by Michael Stepankin, Feb 20, 2024
- Weaponizing Plain Text: ANSI Escape Sequences as a Forensic Nightmare by STOK, Jan 3, 2024
- Smashing the State Machine: The True Potential of Web Race Conditions (π₯π₯) by James Kettle, Jan 2, 2024
- BlueHat 2023: Houdini of the Terminal with David Leadbeater (π₯) by David Leadbeater, March 2, 2023
- Defender-Pretender: When Windows Defender Updates Become a Security Risk by Omer Attias and Tomer Bar, Feb 2, 2024
- Backdooring and Hijacking Azure AD Accounts by Abusing External Identities by Dirk-jan Mollema, Nov 17, 2022
- Pwning Cloud Vendors with Untraditional PostgreSQL Vulnerabilities by Shir Tamari & Nir Ohfeld, Nov 17, 2022
- The Journey of Hunting In-the-Wild Windows LPE 0day by Quan Jin, Nov 17, 2022
- Trace Me if You Can: Bypassing Linux Syscall Tracing by Rex Guo & Junyuan Zeng, Nov 17, 2022
- DEF CON 30 - James Kettle - Browser-Powered Desync Attacks: A New Frontier in HTTP Request Smuggling (π₯π₯) by James Kettle, October 20, 2022
- CG - Trust Me, I'm a Robot: Can we trust RPA with our most guarded secrets? (π₯π₯) by Nimrod Stoler and Nethanel Coppenhagen, Sept 4 2022
- DEF CON 29 - Ian Coldwater, Chad Rikansrud - Real Life Story of the 1st Mainframe Container Breakout by Ian Coldwater and Chad, Aug 5, 2021
- #HITBLockdown D1 - 60 CVEs In 60 Days - Eran Shimony (π₯) by Eran Shimony, May 21, 2020
- GOD MODE UNLOCKED - Hardware Backdoors in x86 CPUs by Christopher Domas (xoreaxeaxeax) (π₯), August 28 2018
- A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! by Orange Tsai, Jan 8, 2020
- DEF CON 23 - Chris Domas - Repsych: Psychological Warfare in Reverse Engineering by Christopher Domas (xoreaxeaxeax) (π₯), April 20, 2016
- REcon 2015 - The movfuscator (Christopher Domas) by Christopher Domas (xoreaxeaxeax), Feb 17, 2016
- Kubernetes Privilege Escalation: Container Escape == Cluster Admin? by Yuval Avrahami and Shaul Ben Hai, November 28, 2022
- DEF CON 30 - Billy Jheng, Muhammad Ramdhan - All Roads Lead to GKEs Host - 4+ Ways to Escape by Billy Jheng and Muhammad Ramdhan, Oct 20, 2022
- HEXACON 2025 - CUDA de GrΓ’ce by Valentina Palmiotti & Samuel Lovejoy by Valentina Palmiotti & Samuel Lovejoy, Nov 24, 2025
- How to Use "Leaky Vessels" for Container Escape in #kubernetes w/ Jay Beale by Jay Beale, Feb 21, 2024
- Container Escape: All You Need Is Cap (Capabilities) by Eran Ayalon and Ilan Sokol, June 7 2023
- The COW (Container On Windows) Who Escaped the Silo by Eran Segal, Nov 17, 2022
- #HITB2021SIN D2T2 - Container Escape In 2021 - Li Qiang by Li Qiang, Sep 2, 2021
- Escaping Virtualized Containers (π₯π₯) by Yuval Avrahami, May 14, 2021
- A Compendium of Container Escapes by Capsule8, Jan 15, 2020
- #HITBLockdown D2 - Prisoner Number 6 - Nimrod Stoler (π₯) by Nimrod Stoler, Jun 3, 2020
- CG - Prisoner Number Six - Nimrod Stoler & Lavi Lazarovitz (π₯) by Nimrod Stoler, August 7, 2019
- #HITB2016AMS D1T1 - Escape From The Docker KVM QEMU Machine - Shengping Wang and Xu Liu by Xu Liu and Shengping Wang, Jun 21, 2016
- Vulnerability Exploitation In Docker Container Environments by Anthony Bettini, Mar 5, 2016
- Turning WebAuthn Against Itself by Shourya Pratap Singh, Jonny Lin and Daniel Seetoh, Aug 28, 2025
- CyberChef
- Burp Suite (free, the pro version is π΅)
- Caido - Modern alternative to Burp Suite
- OWASP ZAP - Webapp scanner
- URL validation bypass cheat sheet
- JSAnalyzer - Burp extension for JavaScript static analysis \
- Firecrawl - Scraping
- Wireshark
- Fiddler
- nmap - Network mapper
- bettercap by Simone Margaritelli (evilsocket)
- MobSF (π₯)
- Faxhell - A Proof-of-Concept bind shell using the Fax service and a DLL hijack based on Ualapi.dll
- pestudio by Marc Ochsenmeier
- CFF Explorer
- PEiD
- HxD
- Procmon
- Process Explorer
- System Informer (Process Hacker)
- TCPView
- mimikatz - by Benjamin DELPY
- ItWasAllADream - A PrintNightmare (CVE-2021-34527) Python Scanner by byt3bl33d3r
- PE-sieve - Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches) by hasherezade.
- PE-bear - Portable Executable reversing tool with a friendly GUI by hasherezade.
- Detect It Easy (DiE) - Program for determining types of files for Windows, Linux and MacOS.
- Pipetap by Leon Jacobs
- PipeViewer - Shows detailed information about named pipes in Windows by Eviatar Gerzi
- NamedPipeMaster - Analyze and monitor in named pipes, by zeze-zeze
- IO Ninja π΅
- RPCMon - RPC Monitor tool based on Event Tracing for Windows by Eviatar Gerzi
- RpcInvestigator - Exploring RPC interfaces on Windows by trailofbits (blog)
- rpcfirewall - Hooking RCP calls by zeronetworks (Sagi Dulce)
- API monitor by rohitab
- x64dbg
- dnSpyEx - .NET debugger and assembly editor.
- dnSpy (original - DEPRECATED) - .NET debugger and assembly editor.
- IDA
- radare by pancake
- WinDBG
- Ghidra
- Edgeshark - Discover and capture container network traffic.
- deepce (π₯) - Docker Enumeration, Escalation of Privileges and Container Escapes (DEEPCE).
- KubiScan - Scan Kubernetes cluster for risky permissions by Eviatar Gerzi
- kubeletctl - A client for kubelet by Eviatar Gerzi
- kubesploit - Offensive tool by Eviatar Gerzi
- kubestriker - Security Auditing tool by vasant chinnipilli
- aad-pod-identity - Assign Azure AD identities to pods in Kubernetes, in order to access Azure resources
- audit2rbac - Autogenerate RBAC policies based on Kubernetes audit logs
- CDK - Zero Dependency Container Penetration Toolkit
- Deepfence ThreatMapper - Apache v2, powerful runtime vulnerability scanner for kubernetes, virtual machines and serverless
- cnspec - Scan Kubernetes clusters, containers, and manifest files for vulnerabilities and misconfigurations
- falco - Container Native Runtime Security
- KBOM - Kubernetes Bill of Materials Toolkit
- kdigger - Kubernetes focused container assessment and context discovery tool for penetration testing
- kiam - Integrate AWS IAM with Kubernetes
- kube-bench - Check whether Kubernetes is deployed according to security best practices
- kube-hunter - Hunt for security weaknesses in Kubernetes clusters
- kube-psp-advisor - Help building an adaptive and fine-grained pod security policy
- kube-scan - k8s cluster risk assessment tool
- kubescape - k8s risk analysis, security compliance, and misconfiguration scanning.
- kubelight - WIP but promising - OWASP project to scan your Kubernetes Cluster for Security & Compliance.
- Kubei - Vulnerabilities scanner for Kubernetes clusters
- kube2iam - Provide different AWS IAM roles for pods running on Kubernetes
- kubeaudit - Audit your Kubernetes clusters against common security controls
- kubectl-bindrole - Find Kubernetes roles bound to a specified ServiceAccount, Group or User
- kubectl-dig - Deep Kubernetes visibility from the kubectl
- kubectl-kubesec - Scan Kubernetes pods, deployments, daemonsets and statefulsets with kubesec.io
- kubectl-who-can - Show who has permissions to <verb> <resource> in Kubernetes
- OWASP Top Ten for Kubernetes - The Top Ten is a prioritized list of these risks backed by data collected from organizations varying in maturity and complexity
- terrascan - Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure
- kyverno - Kubernetes Native Policy Management
- netchecks - Tool to validate assumptions about the network
- rakkess - Review access matrix for Kubernetes server resources
- rback - RBAC in Kubernetes visualizer
- red-kube - K8S Adversary Emulation Based on kubectl
- steampipe - Use SQL to query your cloud services (AWS, Azure, GCP and more) running Kubernetes
- steampipe-kubernetes - Use SQL to query your Kubernetes resources
- steampipe-kubernetes-compliance - Kubernetes compliance scanning tool for CIS, NSA & CISA Cybersecurity technical report for Kubernetes hardening.
- trivy - A Simple and Comprehensive Vulnerability Scanner for Containers, Suitable for CI
- trivy-operator - Kubernetes-native security (Vulnerabilities, IaC Misconfig, exposed secrets, RBAC assessment, compliance, and more) toolkit for kubernetes
- kubernetes-rbac-audit - Tool for auditing RBACs in Kubernetes
- kubernetes-external-secrets - Tool to get External Secrets from Hashicorp Vault and AWS SSM
- vault-secrets-operator - An operator to create Kubernetes secrets from Vault for a secure GitOps based workflow
*Most of the tools are taken from awesome-kubernetes-security
A (very small) selection of CTFs and platforms that are especially good for learning real-world vulnerability research:
- pwnable.kr β Binary exploitation challenges
- pwn.college β Structured teaching for pwn & exploitation
- Hack The Box β Labs & boxes (mixed difficulty)
- Root Me β Web, crypto, pwn, reversing, misc
- exploit.education - Labs for Linux PWNs and Binary exploitation
- Crackmes.one - Crackmes to improve reverse engineering skills.
Contributions are welcome! π
Before opening a PR:
- Make sure the resource is high quality and focused on security research
(vuln discovery, root cause analysis, exploitation, etc. β not generic βhow to hackβ). - Place it in the right section and keep the list alphabetically sorted.
- Prefer original research and deep-dive content over shallow summaries.
If you're unsure, open an issue and we can discuss it.
This list is licensed under CC0 1.0 Universal.
To the extent possible under law, I waive all copyright and related rights to
the content of this repository. See the LICENSE file for details.
All tools and resources are listed for educational and defensive purposes only.
Use them responsibly and follow the laws in your jurisdiction.
β If you find this project useful, consider giving it a star!