Defensive
A few tools to get started. Some tools can be in multiple sections.
Security Information and Event Management (SIEM) & Monitoring Tools
Log analysis and SIEM: Splunk, IBM QRadar (showcase, intro to SIEM console).
Cloud-based security monitoring platform: LimaCharlie (you can simulate attacks with Atomic Red Team, malware test files, look at the rules to find one to trigger...).
Windows system monitoring tool, log collector: Sysmon (THM do the exercises or watch the walkthrough, here's a guide on GitHub with important event codes, you can install Sysmon set up a lab in an isolated environment, run attacks then try to find the events in sysmon).
Malware Information Sharing Platform, useful for threat intelligence sharing. MISP, OTX AlienVault (labs by Sachin Jung Karki, THM exercises and walkthrough).
Automating responses in SIEM platforms or integrating with SOAR (Security Orchestration, Automation, and Response) tools.
Log Management & Analysis
Logs collected from various sources: search logs for each tool that interests you.
Basic log searching and filtering tool: grep for Linux (Filtering log files... -Hackpens, AWK basics - DistroTube, Grep - Navek ), findstr/Select-String for Windows (findstr with examples, How to Use Select-String).
Malware pattern matching and detection rules : YARA (GitHub: YARA-Style-Guide, Yara Projects for Beginners, YouTube: What are Yara Rules, YARA for Security Analyst | Crash Course).
Parsing logs with tools for scaling log analysis: ElasticSearch, Logstash (Elastic Security for SIEM, many on demand courses free till 31-10-25).
Network & Traffic Analysis
Network protocol analyzer: Wireshark (Learn from the official website, YouTube: The Complete Wireshark Course Beginner To Advanced, Wireshark Complete Training, Samples: malware-traffic-analysis, SampleCaptures from Wireshark Wiki ).
Command-line packet analyzer: Tcpdump (YouTube: Traffic Capture & Analysis, GitHub: how-to-use-tcpdump, TCPDUMP Tutorial).
Intrusion detection/prevention system: Snort (YouTube: Snort Education, THM walkthrough, Other: THM exercises, Build a training lab ), Suricata (YouTube: tutorial by Akamai Developer, Scenarios by Nikhil Chaudhari).
Network security monitoring tool: Zeek (can also be an IDS, YouTube: Zeek in Action, Using Zeek and writing scripts, THM walkthrough, Others: THM exercises).
Tool for phishing detection and analysis: Phishtool (THM exercise), email headers (article on keepnet), static/dynamic email analysis (GitHub: Email-Phishing-Analysis)...
Network segmentation
Network traffic analysis in the cloud: VPC flow logs in AWS, VNet flow logs in Azure (YouTube: Overview by John Savill, Other: official documentation).
Malware Analysis & Sandboxing
Environment to safely analyze suspicious files: Sandboxes (Hybrid Analysis - Tutorial, VMRay, ANY.RUN, JoeSandbox ).
Online malware scanning service: VirusTotal (YouTube: tutorial by Debasish Mandal).
Memory forensics and analysis: Volatility (YouTube: Introduction, memory analysis).
Forensic imaging tool: FTK Imager (YouTube: tutorials by DFIRScience).
Security Operations Center (SOC) & Playbooks
Standardized procedures and automated workflows for incident response: SOC Playbooks (Simulation - go to Practice, get an overview).
Centralizes incident tracking, prioritization, and response automation IMS - Incident Management System (ServiceNow - Intro, Jira Service Management - Intro, BMC Remedy (Helix ITSM), PagerDuty - Learning platform, Knowledge Base).
Defensive Security Infrastructure
Firewalls (FW): pfsense (YouTube: configuration, training from official platform).
Antivirus (AV)
Web Application Firewall (WAF): SafeLine WAF (YouTube: Easy home lab), AWS WAF (YouTube: Full tutorial, other: official learning platform), Cloudflare WAF (official documentation), Azure Firewall (official learning platform).
Endpoint Detection and Response (EDR): Wazuh (YouTube: Crash Course, Detection Engineering with Wazuh).
Proxy Servers
Extended Detection and Response (XDR)
DDoS protection: AWS Shield (official learning platform).
Threat Hunting & Advanced Detection
XDR combined with endpoint detection for in-depth threat hunting: Cortex XDR by Palo Alto Networks - official learning platform.
A set of open-source test procedures for security testing and red teaming: Atomic Red Team - official tutorial.
A unified SIEM and XDR solution that helps with proactive threat hunting and detection. Elastic Security - tutorial by Rajneesh Gupta.
Cloud Security
Log service for monitoring AWS activity: CloudTrail AWS - tutorial by Cybr, official training material.
Microsoft's cloud security management and threat protection platform: Azure Security Center - official learning platform.
For monitoring and managing security risks in Google Cloud: Google Cloud Security Command Center – Professional Cloud Security Engineer (learning= FREE, exam = $).
Cloud-native threat detection tools : AWS GuardDuty, Azure Sentinel.
Vulnerability Management & Patch Management
Tools for vulnerability scanning and management: Nessus ( YouTube: Official tutorial), Qualys (YouTube: course by Geek Inside, course by Raghuveer Singh).
Another open-source vulnerability scanner: OpenVAS ( YouTube: Complete tutorial after installation).
A search engine for finding devices connected to the internet, which can be used to identify vulnerabilities: Shodan (YouTube: Tutorial by HackerSploit).
Threat Intelligence Platforms
A threat intelligence platform that helps detect threats through data analysis: Anomali.
A platform for integrating threat intelligence into your security workflows: ThreatConnect.
TTP (Tactics, Techniques, and Procedures) framework: MITRE ATT&CK.
Last updated