security
A collection & lists of intel and usernames scraped from various cybercrime sources & forums. DarkForums, HackForums, Patched, Cracked, BreachForums, OGUser, XSS, Dread, & more.
Related contents:
Security scanner for AI agent skills. Detect vulnerabilities, malicious patterns, and security risks.
Generate realistic synthetic security logs for cybersecurity threat hunting training and research.
Related contents:
An modular asset discovery framework written in python to automate the repeating manual work.
Cygor is a modular asset discovery framework that brings scanning, parsing, and service enumeration together in one workflow. It replaces the patchwork of separate tools with an automated process that handles discovery, enrichment, and targeted enumeration seamlessly — reducing manual overhead and letting you focus on results instead of tool management.
Related contents:
A reference implementation for autonomous vulnerability discovery and remediation with Claude.
Skills for threat modeling, scanning, triage, patching, plus an autonomous scanning harness you can /customize.
A Claude Code skill bundle for bug hunting and external red-team work - 51 skills, 15 slash commands, 681 disclosed-report patterns curated across 24 vulnerability classes, plus enterprise identity + infrastructure attack matrices.
Open-source hospital crisis management platform — multi-site, multi-language.
It is a complete, mature, ready-to-deploy platform that gives crisis directors, CISOs, medical coordinators, and supervisors the structured information they need — without requiring a cloud, a vendor contract, or a six-month integration project.
Related contents:
Falco-powered policy and visibility layer for AI coding agents.
Prempti brings Falco to the world of AI coding agents. It gives you guardrails that can deny or ask for confirmation on unwanted behaviors, plus real-time visibility into every tool call your coding agent makes — shell commands, file writes, reads, API calls. Both are driven by Falco rules you can customize to fit your workflow.
RAMPART: Risk Assessment & Measurement Platform for Agentic Red Teaming.
RAMPART is a pytest-native safety testing framework for agentic AI applications. You write tests that attack or probe your agent, and RAMPART orchestrates the interaction, evaluates the outcome, and reports the results.
OpenGraph Collector for Tailscale.
TailscaleHound is a BloodHound OpenGraph collector for Tailscale. It collects tailnet users, devices, groups, tags, ACLs, grants, SSH rules, routes, app connectors, services, invites, webhooks, and related control-plane metadata, then emits a BloodHound-compatible OpenGraph JSON file.
Think EDR, but for CI/CD Pipelines. Open-source eBPF-powered runtime security sensor for GitHub Actions and GitLab CI/CD.
External Secrets Operator is a Kubernetes operator that integrates external secret management systems like AWS Secrets Manager, HashiCorp Vault, Google Secrets Manager, Azure Key Vault, IBM Cloud Secrets Manager, CyberArk Secrets Manager, Pulumi ESC and many more. The operator reads information from external APIs and automatically injects the values into a Kubernetes Secret.
Related contents:
A lightweight caching proxy for package registries.
A caching proxy for package registries. Speeds up package downloads by caching artifacts locally, reducing bandwidth usage and improving reliability.
Local forensic scanner that extracts credentials from AI tool conversation history. For authorized red team and DLP use only.
Local forensic scanner that extracts and verifies credentials from AI tool conversation history. Detection + verification powered by TruffleHog.
Claude Code is finishing up your refactor. It needs your approval for a few commands. Can you finish in time? Your eyes are already glazing over. Can you stay sharp?
Read-only developer endpoint scanner for on-disk package, extension, and developer-tool metadata, built to check exposure to known software supply-chain compromises.
Related contents:
The security firewall for agents.
Give agents prod access and still sleep easy
Claw Patrol holds agent credentials, parses their traffic at the wire, and gates actions they take with rules you write, all while keeping an audit log of every action.
Testing TLS/SSL encryption anywhere on any port .
testssl.sh is a free command line tool which checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as recent cryptographic flaws and more.
Related contents:
AI-Powered Docker Security Analyzer.
AI-powered Docker security scanner that explains vulnerabilities in plain English
Windows EVTX log analysis for DFIR — fast parsing, ATT&CK mapping, IOC extraction, and Sentinel anomaly detection. Normal + Juggernaut Mode (Arrow/DuckDB) for 10M+ events.
Enterprise Incident Response Toolkit.
Cross-platform incident response toolkit. 28 pre-built use cases, single binary, zero install. Memory, disk, network, and cloud collection with automated timeline generation.
Cross-platform DFIR toolkit for enterprise incident response. Velociraptor-native, air-gap compatible, portable — no installation required.
VanGuard is a self-contained incident response toolkit built in Go that gives DFIR teams a single binary for triage, threat hunting, memory forensics, disk collection, remote operations, and Velociraptor management — on both Windows and Linux, with or without network access.
Discover gaps in Entra Conditional Access policies before attackers do.
Global Threat Intercept — Real-Time Geospatial Intelligence Platform.
Open-source intelligence for the global theater. Track everything from the corporate/private jets of the wealthy, and spy satellites, to seismic events in one unified interface. Hook an AI agent up to have it parse through data and find previously unseen correlations. The knowledge is available to all but rarely aggregated in the open, until now.
Related contents:
Proactively shrink a Linux host's kernel-module attack surface by blacklisting every module not currently in use.
A single POSIX shell script that shrinks a Linux host's kernel-module attack surface by writing a modprobe.d blacklist for every kernel module not currently in use, minus a built-in baseline and an optional sysadmin whitelist. No daemons, no initramfs changes, no AI inside the tool. One script, one run, one blacklist file.
Related contents:
AI-driven vulnerability discovery and live validation.
A terminal workbench for AI-driven vulnerability discovery and live validation.
Persistent & Secure sandboxes for AI agents.
Give your agents lightning-fast sandboxes with persistent state and versioned filesystems.
The offensive-security platform for modern teams.
Recon, scanning, exploitation, and reporting in a single workspace — whether you're a solo pentester or a global SOC.
Enumerate Azure RBAC and Microsoft Entra ID permissions for Entra ID groups, service principals, and users.
Project Hummingbird builds a collection of minimal, hardened, and secure container images with a significantly reduced attack surface. This strong focus on security combined with a highly automated update workflow aims to minimize CVE counts, targeting near-zero vulnerabilities. All images support amd64 and arm64 architectures.
Related contents:
Deepsec is a security harness for finding vulnerabilities in your codebase powered by coding agents.
deepsec an agent-powered vulnerability scanner that you can run in your own infrastructure, optimized to perform on-demand review of all code in existing large-scale repos.
Related contents:
Rustinel is an open-source endpoint detection project for Windows and Linux.
It collects native host telemetry using ETW on Windows and eBPF on Linux, normalizes events into a shared model, evaluates Sigma, YARA, and IOC detections, and writes alerts as ECS NDJSON.
Rustinel is designed for blue teams, detection engineers, researchers, and anyone who wants a transparent endpoint detection engine they can inspect, run, test, and extend.
Open-source agent firewall for MCP and AI agent egress
Pipelock enforces MCP, HTTP, and WebSocket egress at the network boundary and produces verifiable audit evidence for every inspected action.
Related contents:
GTFOBins is a curated list of Unix-like executables that can be used to bypass local security restrictions in misconfigured systems.
The project collects legitimate functions of Unix-like executables that can be abused to get the f**k break out restricted shells, escalate or maintain elevated privileges, transfer files, spawn bind and reverse shells, and facilitate other post-exploitation tasks.
Related contents:
Go (formerly PowerShell) collector for adding MSSQL attack paths to BloodHound with OpenGraph.
A collector for adding MSSQL attack paths to BloodHound with OpenGraph by Chris Thompson at SpecterOps. Available as both a PowerShell script and a cross-platform Go binary (with concurrent collection, SOCKS5 proxy support, and streaming output).
Related contents:
claude-red is a curated library of offensive security skills designed for the Claude skills system. Each skill is a structured SKILL.md file that primes Claude with expert-level methodology for a specific attack surface — from SQLi to shellcode, EDR evasion to exploit development.
A CI/CD Red Team Framework for demonstrating Build Pipeline security risks.
SmokedMeat is a post-exploitation framework for CI/CD pipelines. Point it at a GitHub organization, let it find vulnerable workflows, deploy an implant to a compromised runner, then pivot through cloud providers, extract secrets, and map the blast radius - all from a terminal UI.
Related contents:
Detect potential imposter commits in GitHub repositories
Got a GitHub token (PAT, App, OAuth) and want to figure out what permissions it has? This repo solves this by allowing you to test and validate the different types of GitHub token..
Experimental Linux strace LLM agent.
pike-agent records and analyzes how programs behave on Linux. It traces a program's activity, indexes it into a database, and lets you chat with an LLM agent about it in a TUI.
Related contents:
PMG protects developers, AI agents from malicious open source packages using proxy, sandbox and SafeDep's threat intelligence feed.
PMG intercepts every package install and checks it for malware before code executes. Install it once, and every npm install, pip install, and poetry add is protected automatically.
A complete security skill suite for OpenClaw's and NanoClaw agents (and variants). Protect your SOUL.md (etc') with drift detection, live security recommendations, automated audits, and skill integrity verification. All from one installable suite.
An LLM-as-a-judge HTTP proxy to secure agents in production .
Deploy agents. Safely. CrabTrap is an LLM-as-a-judge HTTP proxy to secure agents in production. It intercepts every request your AI agent makes, evaluates it against a policy, and allows or blocks it in real time.
AI Model Security Database.
Track jailbreaks, prompt injections, and security incidents across all major AI models. The question is not if - it's when.
LLM Agent Skill for YARA rule authoring and review.
An LLM Agent Skill for expert YARA rule authoring, review, and optimization. Embeds industry best practices from the creator of YARA-Forge and yaraQA into your AI assistant's context.
Security configuration scanner for Claude Code.
Clauditor audits your Claude Code settings and repository configuration to detect security misconfigurations.
Free Code Signing for Open Source software
No more installation warnings. SignPath Foundation provides you with a code signing certificate that provides a clear link between your repository and the published binary.
Static and dynamic analysis tool for detecting malicious code, suspicious binaries, and privacy violations.
Static and dynamic analysis tool for detecting malicious code, suspicious binaries, and privacy violations. Analyzes source code, compiled executables (.exe, .dll, .elf), macOS bundles (.app, .dmg, .pkg), mobile apps (.apk, .ipa), and application packages with YARA rules, Docker behavioral sandboxing, MobSF mobile analysis, payload deobfuscation, and multi-format reporting (JSON, HTML, SARIF).
Related contents:
Scan your dev machine for AI agents, MCP servers, IDE extensions, and suspicious packages - in seconds.
Developer machines are the new attack surface. They hold high-value assets — GitHub tokens, cloud credentials, SSH keys — and routinely execute untrusted code through dependencies and AI-powered tools. Recent supply chain attacks have shown that malicious VS Code extensions can steal credentials, rogue MCP servers can access your codebase, and compromised npm packages can exfiltrate secrets.
Related contents:
Automated monitoring of the top PyPI and npm packages for supply chain compromise. Polls both registries for new releases, diffs each release against its predecessor, and uses an LLM (via Cursor Agent CLI) to classify diffs as benign or malicious. Malicious findings trigger a Slack alert.
Related contents:
Check your AWS CLI commands for security risks before you run them.
Security linter for AWS CLI commands. Catches misconfigurations before they hit your cloud.
703 security checks across 91 AWS services. Findings include severity ratings and a remediated command.
Related contents:
The MITRE Fight Fraud Framework™ (F3) is a curated knowledge base of tactics and techniques used by financial fraud actors, derived from real-world observations of cyber fraud incidents. The framework includes behaviors that characterize known fraud TTPs and references existing MITRE ATT&CK® cyber techniques as applicable to financial fraud. F3 provides a common structure and taxonomy to consistently describe and enumerate the material events of a cyber fraud incident, enabling stronger collaboration on fraud prevention, detection, and response across organizational teams. The knowledge base is globally accessible, open, and available at no charge to any person or organization.
Related contents:
How to disable JavaScript in your browser.
Nowadays almost all web pages contain JavaScript, a scripting programming language that runs arbitrary code, through the web browser, on the visitor's computer. It is supposed to make web pages functional for specific purposes but it has proven its potential to cause significant harm to users time and time again:
Datadog Static AI Security Testing (SAIST) tool.
Code Security scans your first-party code and open source libraries used in your applications in both your repositories and running services, providing end-to-end visibility from development to production.
Related contents:
Collection of npm package manager Security Best Practices.
Shai-Hulud, Nx and other incidents are a growing concern of supply chain security attacks and compromised npm packages. Follow these developer security best practices around npm, package maintenance and secure local development to mitigate security risks.
Open-Source API Security Testing Framework.
API security testing framework for REST, GraphQL, and gRPC that validates authorization logic using role-based testing and YAML-driven templates.
Hadrian is an open-source API security testing framework that detects OWASP API Top 10 vulnerabilities in REST, GraphQL, and gRPC APIs. It uses role-based authorization testing and YAML-driven templates to automatically find broken object-level authorization (BOLA), broken function-level authorization (BFLA), broken authentication, and other critical API security flaws — without writing custom test code.
AI Agent Governance Toolkit — Policy enforcement, zero-trust identity, execution sandboxing, and reliability engineering for autonomous AI agents. Covers 10/10 OWASP Agentic Top 10.
Runtime governance for AI agents — the only toolkit covering all 10 OWASP Agentic risks with 9,500+ tests. Governs what agents do, not just what they say — deterministic policy enforcement, zero-trust identity, execution sandboxing, and SRE — Python · TypeScript · .NET · Rust · Go
Related contents:
The Container Security Platform. Application Kernel for Containers.
gVisor provides a strong layer of isolation between running applications and the host operating system. It is an application kernel that implements a Linux-like interface. Unlike Linux, it is written in a memory-safe language (Go) and runs in userspace.
gVisor includes an Open Container Initiative (OCI) runtime called runsc that makes it easy to work with existing container tooling. The runsc runtime integrates with Docker and Kubernetes, making it simple to run sandboxed containers.
Full autonomy. Controlled environment. OS-level containment for AI coding agents on macOS.
macOS containment for AI agents — user isolation, kernel sandbox, pf firewall, DNS blocklist, backup/rollback. TLA+ verified.
AI coding agents are most useful when you let them work autonomously. But full autonomy means the agent runs with your full privileges, your credentials, your files.
Hazmat makes that safe.
Related contents:
The Open Cybersecurity Schema Framework (OCSF) is an open standard for cybersecurity event logging and data normalization. The framework is made up of a set of categories, event classes, data types, and an attribute dictionary. It is not restricted to cybersecurity nor to events, however the initial focus of the framework has been a schema for cybersecurity events.
Related contents: