DEV.co
Open-Source Security

Open-Source Security Tools

Guides to open-source security tooling — what they do and how to deploy them as part of a secure SDLC.

In this category

Open-Source Security

aaWAF

aaWAF is an open-source Web Application Firewall built in Go that uses semantic analysis to detect and block common web attacks (SQL injection, XSS, file upload…

Open-Source Security

Above

Above is a Python-based network packet sniffer designed for penetration testers and security engineers to identify vulnerabilities in network protocols and equi…

Open-Source Security

ARL

ARL is an asset reconnaissance platform designed to discover and catalog internet-facing assets associated with a target organization, including domains, IPs, o…

Open-Source Security

AI-Infra-Guard

AI-Infra-Guard is an open-source red teaming platform from Tencent that scans AI systems, agents, skills, and LLMs for security vulnerabilities including jailbr…

Open-Source Security

akto

Akto is an open-source API security platform that discovers APIs, tests them for vulnerabilities, and identifies runtime security issues. It includes 1000+ buil…

Open-Source Security

Android-Disassembler

Android-Disassembler is a mobile app for reverse-engineering binaries on Android devices, supporting ELF, PE, DEX, and other formats. It uses Capstone for disas…

Open-Source Security

AngryOxide

AngryOxide is a Rust-based 802.11 wireless penetration testing tool designed to automate WiFi attack workflows and capture EAPOL handshakes for offline cracking…

Open-Source Security

ansible-role-hardening

Ansible role that automatically hardens Linux servers (AlmaLinux, Debian, Ubuntu) by applying security baselines including SSH configuration, firewall rules, PA…

Open-Source Security

api-firewall

API Firewall is an open-source, high-performance reverse proxy that validates REST and GraphQL API traffic against OpenAPI and GraphQL schemas. It operates in b…

Open-Source Security

APKHunt

APKHunt is a static code analysis tool for Android APK files built on the OWASP MASVS security framework. It scans for common security vulnerabilities in mobile…

Open-Source Security

ApplicationInspector

Application Inspector is a Microsoft-built static analysis tool that scans source code to identify what software does by detecting library calls, APIs, encrypti…

Open-Source Security

AppVerifier

AppVerifier is an Android app that lets users verify app authenticity by comparing signing certificate hashes. Users can share verification info with others to …

Open-Source Security

arcjet-js

Arcjet is a TypeScript/JavaScript SDK that protects AI applications and web services from bot attacks, prompt injection, rate limiting abuse, and sensitive data…

Open-Source Security

ARL

ARL (Asset Reconnaissance Lighthouse) is a Python-based open-source system for discovering and cataloging internet-facing assets associated with a target organi…

Open-Source Security

ARL-docker

ARL-docker is a containerized deployment wrapper around ARL v2.6.2, a reconnaissance and asset discovery tool for cybersecurity. It packages ARL with ~7,000+ fi…

Open-Source Security

Artemis

Artemis is a modular Python-based vulnerability scanner developed by CERT Poland that automates security assessment and report generation for web applications. …

Open-Source Security

articles-translator

A community-driven repository of translated technical articles covering web development, security, JavaScript, and DevOps topics. The project aggregates curated…

Open-Source Security

athena

Athena OS is an Arch/Nix-based Linux distribution tailored for cybersecurity professionals, penetration testers, and security learners. It bundles security and …

Open-Source Security

AttackSurfaceAnalyzer

Attack Surface Analyzer is a Microsoft open-source security tool that compares your system's configuration before and after software installation to identify ne…

Open-Source Security

AutoCVE

AutoCVE is an open-source Python platform that automates CVE discovery in source code using multi-agent AI orchestration. It combines static scanning, source co…

Open-Source Security

automated-security-helper

ASH is a Python-based orchestration engine that runs multiple open-source security scanners (Bandit, Semgrep, Checkov, etc.) to find vulnerabilities in code, in…

Open-Source Security

AutorizePro

AutorizePro is a Burp Suite extension for detecting authorization bypass vulnerabilities (IDOR, broken access control) using AI-assisted analysis to reduce fals…

Open-Source Security

aws-sso-cli

AWS SSO CLI is a Go-based command-line tool that simplifies managing AWS Identity Center credentials for organizations with multiple AWS accounts and roles. It …

Open-Source Security

badsecrets

BadSecrets is a Python library that detects the use of known or weak cryptographic secrets (like default API keys, machine keys, and signing passwords) across 2…

Open-Source Security

bandit

Bandit is a static analysis tool that scans Python code for common security issues by parsing the Abstract Syntax Tree (AST) and running security plugins. It is…

Open-Source Security

Bjorn

Bjorn is a Python-based network scanning and offensive security tool designed to run on Raspberry Pi with an e-Paper display. It autonomously discovers hosts, i…

Open-Source Security

black-hat-rust

Black Hat Rust is an educational book and code repository teaching offensive security techniques using the Rust programming language. It covers reconnaissance, …

Open-Source Security

blackarch

BlackArch Linux is an Arch Linux-based penetration testing distribution containing over 2,800 pre-packaged security tools. It is designed for penetration tester…

Open-Source Security

BLUESPAWN

BLUESPAWN is an open-source Windows EDR and active defense tool built in C++ to help blue teams detect and respond to malware and anomalous activity in real-tim…

Open-Source Security

bomber

Bomber is a Go-based tool that scans Software Bill of Materials (SBOMs) in CycloneDX, SPDX, or Syft formats to identify security vulnerabilities across multiple…

Open-Source Security

bundler-audit

bundler-audit is a Ruby gem that scans your project's dependencies for known security vulnerabilities by checking against the ruby-advisory-db. It identifies in…

Open-Source Security

caddy-waf

Caddy-WAF is a middleware module for the Caddy web server that provides Web Application Firewall capabilities including regex-based rule matching, IP/DNS filter…

Open-Source Security

Cairn

Cairn is a Python-based AI agent system that solves problems by searching through unknown state spaces, validated first on autonomous penetration testing. It us…

Open-Source Security

cameradar

Cameradar is a Go-based penetration testing tool that scans networks for RTSP video surveillance cameras and attempts to breach them via dictionary attacks on c…

Open-Source Security

cargo-auditable

cargo-auditable embeds dependency tree metadata into Rust binaries, enabling post-deployment vulnerability auditing without external tracking. It works transpar…

Open-Source Security

cariddi

Cariddi is a Go-based web crawler and security scanner designed for reconnaissance and bug bounty work. It takes a list of domains, crawls URLs, and detects exp…

Open-Source Security

certificates

step-ca is an open-source private certificate authority (CA) built in Go that automates TLS and SSH certificate management for internal infrastructure. It provi…

Open-Source Security

changeme

changeme is a Python-based default credential scanner that identifies hardcoded and backdoor credentials across multiple protocols (HTTP, SSH, SQL databases, SN…

Open-Source Security

CheatSheetSeries

OWASP Cheat Sheet Series is a curated reference library of concise security best practices for application developers, maintained by OWASP as a flagship project…

Open-Source Security

chipsec

CHIPSEC is an open-source framework for assessing the security of PC platforms, including hardware, BIOS/UEFI firmware, and platform components. It provides sec…

Open-Source Security

community-scripts

Community Scripts is an Apache-2.0 licensed collection of scripting extensions for OWASP ZAP, a web application security testing tool. Users can deploy ready-ma…

Open-Source Security

container-security-checklist

Container Security Checklist is a curated reference guide documenting security best practices across the container lifecycle—from image building and registry ma…

Open-Source Security

ContainerSSH

ContainerSSH is an SSH server that dynamically launches containers on Kubernetes or Docker on-demand when users connect. It acts as a bridge between SSH clients…

Open-Source Security

copacetic

Copacetic is a CLI tool that patches container image vulnerabilities directly without rebuilding entire images. It integrates with vulnerability scanners like T…

Open-Source Security

cve

CVE is an automated repository that aggregates publicly available CVE proof-of-concepts (PoCs) from multiple sources, organized by year. It uses workflows to ga…

Open-Source Security

cve-bin-tool

CVE Binary Tool is an open-source Python utility for scanning software binaries and bill-of-materials (SBOM) files against known vulnerabilities from NVD, Red H…

Open-Source Security

cve-lite-cli

CVE Lite CLI is a terminal-based dependency vulnerability scanner for JavaScript/TypeScript projects that reads your lockfile locally and outputs actionable fix…

Open-Source Security

cyberbro

Cyberbro is a Python-based open-source application that parses unstructured logs and text to extract indicators of compromise (IoCs)—IPs, domains, hashes, URLs—…

Open-Source Security

CyberStrike

CyberStrike is an open-source AI agent that automates penetration testing by combining large language models (Claude, GPT, etc.) with offensive security framewo…

Open-Source Security

dalfox

Dalfox is an open-source XSS scanner written in Rust, designed for automated vulnerability detection across reflected, stored, and DOM-based XSS vectors. It inc…

Open-Source Security

DeimosC2

DeimosC2 is a deprecated Golang-based command-and-control framework designed for post-exploitation red team operations. The project is no longer maintained and …

Open-Source Security

dep-scan

dep-scan is an open-source Python tool that identifies known vulnerabilities, license risks, and supply-chain threats in application dependencies and container …

Open-Source Security

dependency-track

Dependency-Track is an OWASP-backed open-source platform for analyzing software components and identifying supply chain vulnerabilities. It ingests Software Bil…

Open-Source Security

destroylist

Destroylist is a real-time, crowd-sourced blocklist of 170k+ phishing and scam domains, available in multiple DNS-compatible formats (hosts, dnsmasq, RPZ, etc.)…

Open-Source Security

dexcalibur

Dexcalibur is an Android reverse engineering platform that automates dynamic instrumentation tasks using Frida. It combines static DEX analysis, runtime method …

Open-Source Security

django-DefectDojo

DefectDojo is an open-source DevSecOps platform for vulnerability management, risk assessment, and security orchestration. It aggregates findings from multiple …

Open-Source Security

dockle

Dockle is a container image linter that scans Docker images for security vulnerabilities and best-practice violations, including CIS Benchmarks. It runs as a si…

Open-Source Security

dotenv

dotenv is a lightweight Node.js module that loads environment variables from a .env file into the application's runtime, supporting the Twelve-Factor App method…

Open-Source Security

dotenvx

dotenvx is a CLI and Node.js library for managing environment variables with end-to-end encryption, built by the creator of dotenv. It works across platforms an…

Open-Source Security

dpt-shell

dpt-shell is an open-source Android DEX protection tool that obfuscates method implementations by hollowing out DEX bytecode and reconstructing it at runtime. I…

Open-Source Security

EDRHunt

EDRHunt is a Windows-focused command-line tool that detects installed endpoint detection and response (EDR) and antivirus software by scanning processes, servic…

Open-Source Security

ElectricEye

ElectricEye is a Python-based CLI tool for auditing security posture across multiple cloud providers (AWS, GCP, Azure, OCI) and SaaS platforms (ServiceNow, Micr…

Open-Source Security

emba

EMBA is an open-source firmware security analyzer written in Bash that performs static and dynamic analysis on embedded device firmware to identify vulnerabilit…

Open-Source Security

eraser

Eraser is a Kubernetes operator that automatically removes unused container images from cluster nodes to free up disk space and reduce attack surface. It integr…

Open-Source Security

ethereum-lists

Ethereum-lists is a community-maintained repository of curated lists for Ethereum security, including phishing URLs, fake token addresses, and malicious smart c…

Open-Source Security

evillimiter

Evil Limiter is a Python-based tool for Linux that monitors and throttles bandwidth for devices on a local network using ARP spoofing and traffic shaping, witho…

Open-Source Security

extract_otp_secrets

Extract_otp_secrets is a Python tool that extracts OTP (one-time password) secrets from QR codes exported by 2FA apps like Google Authenticator. It supports mul…

Open-Source Security

eyeballer

Eyeballer is a Python-based CNN that automatically classifies web application screenshots into categories like 'Old-Looking Sites', 'Login Pages', 'Webapps', 'C…

Open-Source Security

fofa_viewer

FOFA Viewer is a JavaFX-based desktop client for querying the FOFA internet search engine. It wraps FOFA's API into a user-friendly interface with multi-tab res…

Open-Source Security

fridare

Fridare is a Go-based tool for modifying Frida server binaries and iOS plugins across Windows, macOS, Linux, Android, and iOS platforms. It automates obfuscatio…

Open-Source Security

fscan

Fscan is a Go-based intranet reconnaissance and vulnerability scanning tool designed for automated penetration testing. It performs host discovery, port scannin…

Open-Source Security

galah

Galah is an LLM-powered web honeypot written in Go that dynamically generates HTTP responses to arbitrary requests using large language models from providers li…

Open-Source Security

ggshield

ggshield is an open-source CLI tool that detects 500+ types of hardcoded secrets in code before they reach repositories. It integrates as a pre-commit hook, Git…

Open-Source Security

git-hound

GitHound is a Go-based tool that scans GitHub's public repositories and Gists for exposed API keys, secrets, and credentials using pattern matching and GitHub's…

Open-Source Security

gitGraber

gitGraber is a Python-based monitoring tool that searches GitHub in real-time for exposed sensitive data (API keys, secrets, credentials) across 31+ services in…

Open-Source Security

gogo

Gogo is a high-performance, Go-based reconnaissance and vulnerability scanning engine designed for red team operations. It supports flexible port configuration,…

Open-Source Security

gosec

Gosec is a static security analyzer for Go that scans source code for common vulnerabilities using pattern matching, control flow analysis, and taint tracking. …

Open-Source Security

goshs

goshs is a single-binary file server written in Go that combines HTTP/S, WebDAV, FTP/SFTP, SMB, and LDAP services with built-in security features like TLS, basi…

Open-Source Security

gotestwaf

GoTestWAF is an open-source Go tool that simulates API and OWASP attacks (SQL injection, XSS, etc.) to evaluate Web Application Firewalls, API gateways, and sec…

Open-Source Security

GpgFrontend

GpgFrontend is a cross-platform desktop GUI for OpenPGP encryption and digital signatures. It offers a choice between GnuPG (battle-tested) and Rust rPGP (memor…

Open-Source Security

grapefruit

Grapefruit is an open-source mobile security testing toolkit for iOS and Android that uses Frida to inspect, hook, and modify running apps through a web interfa…

Open-Source Security

graudit

graudit is a lightweight static analysis tool that uses grep and pattern-matching signatures to scan source code for potential security vulnerabilities. It supp…

Open-Source Security

GTFONow

GTFONow is an automated privilege escalation tool for Unix systems that exploits misconfigurations in sudo, setuid/setgid binaries, and capabilities. It is purp…

Open-Source Security

habu

Habu is a Python-based hacking toolkit designed for security testing and network analysis. It bundles network reconnaissance, ARP manipulation, DNS discovery, c…

Open-Source Security

haiti

Haiti is a lightweight CLI tool and Ruby library that identifies hash types from input strings. It supports 675+ hash algorithms including modern variants (SHA3…

Open-Source Security

hardening

A Shell script that hardens Ubuntu servers (22.04 and 24.04) by configuring kernel parameters, disabling unnecessary modules, setting up UFW firewall, and enfor…

Open-Source Security

horusec

Horusec is an open-source SAST (Static Application Security Testing) tool that scans code across 18 languages using 20 different security analysis engines in a …

Open-Source Security

HyperDbg

HyperDbg is a free, open-source Windows debugger that operates at the hypervisor level using Intel VT-x and EPT, enabling kernel and user-mode debugging without…

Open-Source Security

Impost3r

Impost3r is a Linux password-theft tool written in C that captures sudo, SSH, and su credentials by injecting malicious code into shell startup files or PAM mod…

Open-Source Security

inql

InQL is a Burp Suite extension written in Kotlin that automates GraphQL security testing by generating queries, detecting vulnerabilities, and analyzing schema …

Open-Source Security

IntelOwl

IntelOwl is an open-source threat intelligence management platform that aggregates data from multiple sources (VirusTotal, AbuseIPDB, etc.) and internal analysi…

Open-Source Security

interactsh

Interactsh is an open-source out-of-band (OOB) interaction detection tool used to identify vulnerabilities that trigger external interactions. It provides both …

Open-Source Security

Interlace

Interlace is a Python utility that parallelizes single-threaded command-line tools by distributing targets across multiple threads, supporting CIDR notation, gl…

Open-Source Security

inventory

Inventory is a curated, automatically-updated dataset of 800+ public bug bounty programs with DNS and web server metadata. It aggregates program data from multi…

Open-Source Security

jaeles

Jaeles is a Go-based web application security scanner framework designed for automated vulnerability testing. However, the project is archived and no longer mai…

Open-Source Security

JavaSecLab

JavaSecLab is a Spring Boot-based vulnerable application laboratory designed for learning Java security vulnerabilities through hands-on practice. It provides v…

Open-Source Security

juice-shop

OWASP Juice Shop is an intentionally vulnerable web application designed for security training, awareness demos, and CTF competitions. It runs on TypeScript/Nod…

Open-Source Security

keychain

Keychain is a Python-based SSH and GPG agent manager that consolidates multiple agent instances into a single, reusable session per host. It simplifies key mana…

Open-Source Security

keyshade

Keyshade is a realtime secret and configuration management platform that encrypts sensitive data using public-key cryptography, allowing teams to manage secrets…

Open-Source Security

kics

KICS is an open-source static analysis tool that scans Infrastructure-as-Code files (Terraform, Kubernetes, Docker, CloudFormation, etc.) to detect security vul…

Open-Source Security

kingfisher

Kingfisher is an open-source secret scanner built in Rust that detects leaked API keys, tokens, and credentials across code repositories, cloud storage, chat pl…

Open-Source Security

krane

Krane is a Kubernetes RBAC static analysis and visualization tool that identifies security risks in role-based access control configurations. It provides CLI, d…

Open-Source Security

KubeHound

KubeHound is a Datadog-maintained tool that automatically maps attack paths within Kubernetes clusters by building an attack graph. It helps security teams visu…

Open-Source Security

kubernetes-goat

Kubernetes Goat is an intentionally vulnerable Kubernetes cluster environment designed for hands-on security learning and penetration testing practice. It provi…

Open-Source Security

kubesec

Kubesec is a static analysis tool for scanning Kubernetes manifests and identifying security risks through rule-based scoring. It operates as a CLI tool, Docker…

Open-Source Security

Ladon

Ladon is a Chinese-language internal network penetration testing scanner written in C# that detects network vulnerabilities, performs credential auditing, and f…

Open-Source Security

landrun

Landrun is a lightweight Linux sandbox tool that restricts what programs can access on the filesystem and network using kernel-level Landlock security. It requi…

Open-Source Security

linux-exploit-suggester

Linux Exploit Suggester (LES) is a shell-based auditing tool that scans a Linux system to identify exposure to known kernel privilege escalation exploits and ve…

Open-Source Security

LuaN1aoAgent

LuaN1aoAgent is an autonomous penetration testing framework using LLMs and causal graph reasoning to simulate expert hacker behavior. It decouples testing into …

Open-Source Security

mantis

Mantis is a Python-based CLI framework that automates security scanning workflows for asset discovery, reconnaissance, and vulnerability detection. It ingests t…

Open-Source Security

matano

Matano is an open-source security data lake built on AWS that normalizes and stores security logs from 50+ sources in a structured, queryable format using Apach…

Open-Source Security

metabigor

Metabigor is an OSINT reconnaissance tool written in Go that performs network discovery, IP enrichment, certificate transparency searches, and related domain di…

Open-Source Security

MetaRadar

MetaRadar is an Android app that scans, analyzes, and tracks Bluetooth Low Energy (BLE) devices in your environment. It helps users identify which BLE devices b…

Open-Source Security

Mobile-Security-Framework-MobSF

MobSF is an automated mobile app security testing platform supporting Android, iOS, and Windows. It performs static analysis on binaries (APK, IPA, APPX) and so…

Open-Source Security

mobsfscan

mobsfscan is a static analysis tool that scans Android and iOS source code (Java, Kotlin, Swift, Objective-C) for insecure patterns. It integrates MobSF securit…

Open-Source Security

monkey

Infection Monkey is an open-source adversary emulation platform that simulates malware spread across networks to test your security defenses. It comprises an ag…

Open-Source Security

monkey365

Monkey365 is an open-source PowerShell module that audits Microsoft 365, Azure, and Entra ID for security misconfigurations and compliance gaps. It bundles all …

Open-Source Security

mutillidae

OWASP Mutillidae II is a deliberately vulnerable PHP web application designed for security training and penetration testing practice. It contains over 40 intent…

Open-Source Security

my-arsenal-of-aws-security-tools

A curated list of open-source AWS security tools covering defensive measures, offensive testing, auditing, and incident response. It serves as a reference guide…

Open-Source Security

MyIP

MyIP is a self-hosted web-based toolbox for checking your IP address, geolocation, and running network diagnostics including DNS leak tests, speed tests, WebRTC…

Open-Source Security

NetExec

NetExec is a command-line tool for executing commands and performing reconnaissance across Windows networks and Active Directory environments. It is the communi…

Open-Source Security

Nettacker

OWASP Nettacker is an open-source Python framework for automated penetration testing and vulnerability scanning. It performs reconnaissance, port scanning, serv…

Open-Source Security

nmap-formatter

nmap-formatter is a Go-based CLI tool that converts nmap XML scan results into multiple human-readable formats (HTML, CSV, JSON, Markdown, Graphviz, SQLite, Exc…

Open-Source Security

nodejsscan

nodejsscan is a static security code scanner (SAST) for Node.js applications that detects common security vulnerabilities. It combines libsast and semgrep engin…

Open-Source Security

noir

Noir is an OWASP-backed static analysis tool that extracts all API endpoints from your source code, including hidden and deprecated routes. It outputs the disco…

Open-Source Security

npq

npq is a CLI tool that audits npm packages before installation by checking for known vulnerabilities, suspicious metadata patterns, and supply-chain red flags. …

Open-Source Security

openappsec

open-appsec is an open-source machine learning-based Web Application Firewall (WAF) that automatically detects and blocks threats against web apps and APIs. It …

Open-Source Security

openrasp

OpenRASP is an open-source Runtime Application Self-Protection (RASP) solution that hooks into application servers to detect and block attacks at execution time…

Open-Source Security

OpenSCA-cli

OpenSCA-cli is an open-source software composition analysis tool that scans project dependencies across multiple languages to detect vulnerabilities and verify …

Open-Source Security

opensquat

openSquat is an open-source Python tool that detects domain look-alikes and cyber squatting threats by monitoring newly registered domains for typosquats, phish…

Open-Source Security

osv.dev

osv.dev is Google's open-source vulnerability database and triage service that aggregates security vulnerability data from multiple sources (NVD, PyPI, Alpine, …

Open-Source Security

osv-scanner

OSV-Scanner is an open-source vulnerability scanner built in Go that checks project dependencies against the OSV.dev database to identify known security vulnera…

Open-Source Security

OWASP-VWAD

OWASP-VWAD is a directory of known vulnerable web applications used for security testing and learning. The repository is being wound down; future work has moved…

Open-Source Security

medusa

MEDUSA is an AI-first security scanner built in Python that detects 40,000+ security patterns with zero setup required. It specializes in AI/LLM supply-chain at…

Open-Source Security

PatrowlManager

PatrowlManager is an open-source security operations orchestration platform that aggregates and coordinates security scans, vulnerability detection, and inciden…

Open-Source Security

pdfrip

PDFRip is a multi-threaded command-line tool written in Rust for cracking password-protected PDF documents using wordlist, brute-force, and structured pattern a…

Open-Source Security

pentest-ai-agents

pentest-ai-agents is a collection of 50 Claude Code subagents designed to assist with penetration testing tasks by routing requests to specialized AI agents. It…

Open-Source Security

PentestingEverything

PentestingEverything is an open-source knowledge base and website for penetration testing and application security, covering 23 domains from web and API to mobi…

Open-Source Security

pipelock

Pipelock is an open-source AI agent firewall that inspects HTTP, WebSocket, MCP, and A2A traffic for secret exfiltration, SSRF, and prompt injection. It sits in…

Open-Source Security

Powershellisfun

Powershellisfun is a curated collection of PowerShell scripts for Windows administration, Microsoft 365, Active Directory, Intune, and Exchange management. The …

Open-Source Security

ppfuzz

ppfuzz is a Rust-based command-line tool that automatically scans websites for client-side prototype pollution vulnerabilities. It uses a headless Chromium brow…

Open-Source Security

privacy.sexy

privacy.sexy is an open-source desktop and web application that automates privacy and security hardening on Windows, macOS, and Linux through curated, reversibl…

Open-Source Security

privado

Privado is an open-source static code analysis tool that detects how sensitive data flows through your codebase, identifies security vulnerabilities, and genera…

Open-Source Security

prowler

Prowler is an open-source cloud security platform that automates compliance and security scanning across AWS, Azure, GCP, Kubernetes, and 6+ other cloud provide…

Open-Source Security

ProxyCat

ProxyCat is a Python-based proxy pool middleware that converts short-lived static proxy IPs into fixed tunnel IPs, enabling persistent proxy services via HTTP/S…

Open-Source Security

psudohash

Psudohash is a Python-based password mutation generator that creates millions of keyword variants by applying leet substitutions, case changes, padding, and yea…

Open-Source Security

Qu1cksc0pe

Qu1cksc0pe is a GPL-3.0 licensed, command-line malware analysis tool written primarily in YARA and Python that performs static and dynamic analysis on Windows, …

Open-Source Security

railsgoat

RailsGoat is an open-source, deliberately vulnerable Rails application maintained by OWASP. It demonstrates real-world security flaws from the OWASP Top 10 and …

Open-Source Security

raven

Raven is a Python-based CI/CD security analyzer that scans GitHub Actions workflows and stores findings in Neo4j. It helps identify misconfigurations and securi…

Open-Source Security

reaper

Reaper is a man-in-the-middle HTTPS proxy tool designed for application security testing. It intercepts and logs web traffic to a local database, offering a CLI…

Open-Source Security

reconftw

reconFTW is a bash-based automated reconnaissance tool that orchestrates subdomain enumeration, vulnerability scanning, OSINT, and web analysis to streamline pe…

Open-Source Security

reconmap

Reconmap is an open-source penetration testing and vulnerability assessment platform built on JavaScript that helps security teams plan, execute, and report on …

Open-Source Security

rengine

reNgine is an open-source web application reconnaissance framework that automates subdomain discovery, vulnerability scanning, and recon data organization. It c…

Open-Source Security

requests-ip-rotator

A Python library that leverages AWS API Gateway to rotate through AWS's IP pool for making requests appear to come from different IP addresses. It's designed to…

Open-Source Security

Reveil

Reveil is an open-source iOS system and security analysis dashboard built in SwiftUI that replicates the discontinued Unveil app. It provides real-time visibili…

Open-Source Security

reverse_ssh

Reverse SSH is a Go-based tool that enables SSH-based reverse shells, allowing operators to manage compromised systems through a central server using native SSH…

Open-Source Security

reversingBits

Reversing Bits is a curated repository of cheatsheets and reference guides for reverse engineering, binary analysis, and assembly programming tools. It covers 4…

Open-Source Security

ronin

Ronin is a GPL-3.0 Ruby toolkit for security research, penetration testing, and CTF activities. It provides CLI commands and libraries for encoding, decoding, n…

Open-Source Security

RustScan

RustScan is a high-speed port scanner written in Rust that identifies open ports in seconds. It supports scripting in Python, Lua, and Shell, and can pipe resul…

Open-Source Security

vet

vet is a Go-based CLI tool for scanning open-source dependencies to detect malicious packages, vulnerabilities, and license compliance issues. It uses SafeDep C…

Open-Source Security

sast-skills

sast-skills is a collection of AI agent skills that transform LLM coding assistants (Claude, Cursor, etc.) into automated vulnerability scanners. It detects 13 …

Open-Source Security

scant3r

ScanT3r is a Python-based, module-driven bug bounty automation framework designed to reduce scripting overhead for web penetration testers. It provides pre-buil…

Open-Source Security

scapy

Scapy is a Python library for building, sending, and analyzing network packets. It replaces or extends the functionality of tools like tcpdump, Wireshark, and n…

Open-Source Security

scilla

Scilla is a Go-based command-line tool for security reconnaissance that automates DNS enumeration, subdomain discovery, port scanning, and directory fuzzing. It…

Open-Source Security

SecretScanner

SecretScanner is a Go-based open-source tool that scans container images and file systems to detect hardcoded secrets like passwords, API keys, SSH keys, and to…

Open-Source Security

security-tools

A collection of Python and Bash security tools designed for CTF competitions, bug bounty hunting, and penetration testing. The project provides scanners, static…

Open-Source Security

semgrep

Semgrep is an open-source static analysis tool that searches code for bugs and security issues across 30+ languages using pattern matching that resembles source…

Open-Source Security

shannon

Shannon is an autonomous AI pentester that analyzes your application source code and executes real exploits against running web apps and APIs to identify vulner…

Open-Source Security

ship-safe

Ship Safe is a CLI security scanner designed for AI-driven development environments. It detects CI/CD misconfigurations, agent permission risks, MCP tool inject…

Open-Source Security

Slack

Slack is a desktop security toolkit (written in Go with Wails UI) that integrates web scanning, directory enumeration, company intelligence, and space search ca…

Open-Source Security

sliver

Sliver is an open-source adversary emulation and red team framework built in Go, enabling organizations to conduct security testing with dynamically compiled im…

Open-Source Security

cli

Step CLI is a command-line tool for managing X.509 certificates, JWT/JOSE tokens, SSH certificates, and OAuth workflows. It works standalone or with step-ca (an…

Open-Source Security

social-analyzer

Social Analyzer is an OSINT tool that searches for a person's profile across 1000+ social media websites using multiple detection techniques. It provides API, C…

Open-Source Security

spiderfoot

SpiderFoot is an open-source OSINT automation tool that gathers intelligence from 200+ data sources to map attack surfaces and support threat intelligence workf…

Open-Source Security

spray

Spray is a high-performance HTTP directory fuzzing and reconnaissance tool written in Go, designed for security testing and red team operations. It offers dicti…

Open-Source Security

SpringBoot-Scan

SpringBoot-Scan is a Python-based penetration testing framework targeting Spring Boot applications. It scans for sensitive information leakage endpoints and pro…

Open-Source Security

ssh-mitm

SSH-MITM is a Python-based tool for intercepting and auditing SSH connections in real time. It sits between SSH clients and servers, capturing credentials, mani…

Open-Source Security

static-analysis

static-analysis is a curated, community-maintained directory of SAST tools and linters across all programming languages and configuration formats. It serves as …

Open-Source Security

Stowaway

Stowaway is a multi-hop proxy tool written in Go, designed for penetration testers to route external traffic through multiple internal network nodes, bypassing …

Open-Source Security

super

SPR is an open-source router platform that assigns one WiFi password per device and enforces zero-trust network policies with per-device DNS rules and ad-blocki…

Open-Source Security

sysmon-modular

sysmon-modular is a community-maintained repository of modular Sysmon configurations for Windows endpoint monitoring and threat detection. It provides pre-gener…

Open-Source Security

tabby

Tabby is a Java static code analysis tool that converts JAR/WAR/CLASS files into code property graphs stored in Neo4j, enabling automated discovery of gadget ch…

Open-Source Security

terragoat

TerraGoat is an intentionally vulnerable Terraform repository maintained by Bridgecrew, designed for security training and testing policy-as-code frameworks. It…

Open-Source Security

threagile

Threagile is an open-source toolkit for agile threat modeling that lets teams define system architecture and assets as YAML files and automatically check them a…

Open-Source Security

ThreatIngestor

ThreatIngestor is an open-source Python tool that extracts and aggregates indicators of compromise (IOCs) from multiple threat feeds—Twitter, RSS, GitHub, web p…

Open-Source Security

thug

Thug is a Python-based low-interaction honeyclient that simulates web browser behavior to detect and analyze client-side malware and exploit attempts. It comple…

Open-Source Security

titus

Titus is a high-performance secrets scanner written in Go that detects leaked credentials, API keys, and tokens across source code, git history, container image…

Open-Source Security

TokenUniverse

TokenUniverse is a Windows-native desktop application written in Delphi/Pascal that provides advanced UI-based manipulation of Windows access tokens, security p…

Open-Source Security

trivy

Trivy is an open-source security scanner that detects vulnerabilities, misconfigurations, secrets, and software licenses across containers, Kubernetes, code rep…

Open-Source Security

trivy-action

trivy-action is a GitHub Action that integrates Aqua Security's Trivy vulnerability scanner into CI/CD pipelines. It scans Docker images, filesystems, repositor…

Open-Source Security

trivy-operator

Trivy Operator is a Kubernetes-native security toolkit that automatically scans your cluster for vulnerabilities, misconfigurations, exposed secrets, and compli…

Open-Source Security

trufflehog

TruffleHog is an open-source secrets discovery and validation tool written in Go that scans Git repositories, cloud storage, chat systems, and other sources to …

Open-Source Security

VAmPI

VAmPI is a deliberately vulnerable REST API built with Flask that includes OWASP Top 10 API vulnerabilities. It is designed for security testing, penetration te…

Open-Source Security

vapi

vAPI is a self-hosted vulnerable API training application that deliberately implements OWASP API Top 10 security flaws as educational exercises. It's designed f…

Open-Source Security

VHostScan

VHostScan is a Python-based virtual host discovery tool that identifies subdomains and virtual hosts by performing HTTP/HTTPS scans and reverse lookups. It hand…

Open-Source Security

vuln-bank

vuln-bank is an intentionally vulnerable banking web application built for security training and penetration testing practice. It simulates real-world banking f…

Open-Source Security

VulnClaw

VulnClaw is an AI-powered penetration testing CLI tool that automates the full testing workflow—reconnaissance, vulnerability discovery, exploitation, and repor…

Open-Source Security

vulnerablecode

VulnerableCode is a free, open-source vulnerability database with a web UI and API that tracks known software package vulnerabilities and their affected/fixed v…

Open-Source Security

vuls

Vuls is an agent-less vulnerability scanner written in Go that detects security issues across Linux, FreeBSD, containers, and other environments. It pulls from …

Open-Source Security

Web-Cache-Vulnerability-Scanner

Web-Cache-Vulnerability-Scanner (WCVS) is a Go-based CLI tool for detecting web cache poisoning and deception vulnerabilities. It supports 10 poisoning techniqu…

Open-Source Security

web-check

Web-Check is an open-source OSINT dashboard that analyzes websites to uncover technical details, security configurations, and infrastructure information. It pro…

Open-Source Security

Whaler

Whaler is a Go utility that reverse-engineers Docker images back into their original Dockerfiles. It extracts layer metadata, detects potential secrets in filen…

Open-Source Security

WhatWeb

WhatWeb is a Ruby-based web application scanner that identifies websites, technologies, and versions by analyzing HTTP responses and server behavior. It offers …

Open-Source Security

wifi-deauth

wifi-deauth is a Python-based denial-of-service tool that disconnects all devices from a target WiFi network by sending spoofed deauthentication packets. It ope…

Open-Source Security

wpprobe

WPProbe is a fast WordPress plugin and theme scanner written in Go that detects installed components via REST API enumeration and HTML parsing, then maps them t…

Open-Source Security

wrongsecrets

OWASP WrongSecrets is an intentionally vulnerable web application designed to teach secrets management security through hands-on challenges. It contains 67 chal…

Open-Source Security

wstg

WSTG is an open-source, community-maintained guide published by OWASP that documents comprehensive web application security testing methodologies and best pract…

Open-Source Security

xalgorix

Xalgorix is a self-hosted AI-powered penetration testing platform that automates security scanning using large language models (LLMs) you control. It combines a…

Open-Source Security

yaklang

Yaklang is a domain-specific programming language built in Go for cybersecurity work, offering both compiled and interpreted execution through its own virtual m…

Open-Source Security

zap-extensions

ZAP Extensions is a collection of add-ons for the Zed Attack Proxy (ZAP), an open-source dynamic application security testing (DAST) tool. These extensions expa…

Open-Source Security

zaproxy

ZAP (Zed Attack Proxy) by Checkmarx is a free, open-source web application security scanner that automatically identifies vulnerabilities during development and…

Open-Source Security

zerobox

Zerobox is a lightweight process sandbox for Rust, TypeScript, and Python that isolates command execution with fine-grained controls over file access, network, …

Open-Source Security

ziti

OpenZiti is an open-source zero-trust networking platform that makes network services invisible and accessible only to authenticated, authorized users or worklo…

Open-Source Security

zizmor

Zizmor is a static analysis tool written in Rust that scans GitHub Actions workflows to identify security vulnerabilities such as template injection, credential…

A software development agency for open-source projects

DEV.co is a software development agency offering custom software development services and web development for companies adopting open-source security tools. Our software developers and web developers evaluate, implement, integrate, customize, and maintain open-source software in production — so your team ships faster with less risk.

Building with open-source security tools?

DEV.co helps companies evaluate, customize, integrate, and deploy open-source software with senior software developers.