Blue Team Tools [Master]

Blueteam Tools


Welcome to the Blue Team Tools resource center. This curated list is your go-to guide for defensive cybersecurity tools that help you protect, detect, and respond to threats. Whether you’re new to cybersecurity or a seasoned defender, these resources are essential for your security toolkit.

Adversary Emulation

All-In-One Tools

  • :hammer_and_wrench: CimSweep - CIM/WMI-based tools for IR and hunting on Windows.
  • :rocket: Cyber Triage - Fast and forensically-sound incident response.
  • :door: Doorman - osquery fleet manager.
  • :eagle: Falcon Orchestrator - Incident management and response automation platform.
  • :ocean: GRR Rapid Response - Remote live forensics for incident response.
  • :honeybee: TheHive - Scalable, open-source and free Security Incident Response Platform.

Evidence Collection

  • :package: bulk_extractor - Digital forensics tool which extracts PII and other interesting information.
  • :star2: CyLR - Fast tool to collect forensic artifacts.
  • :fire_engine: ir-rescue - Comprehensive Windows incident response script.
  • :open_book: Live Response Collection - Collection of scripts for gathering forensic evidence.

File Management and Text Editing

  • :package: 7-Zip - File archiver with a high compression ratio.
  • :open_book: Notepad++ - Free source code editor and Notepad replacement.

Memory Analysis Tools

  • :brain: AVML - Volatile memory acquisition tool.
  • :seedling: Evolve - Web interface for Volatility.
  • :lemon: LiME - Loadable Kernel Module (LKM) for volatile memory acquisition.
  • :milky_way: Rekall - Memory forensic framework.
  • :milky_way: Volatility - Advanced memory forensics framework.

Network Analysis

  • :globe_with_meridians: Wireshark - Widely-used network protocol analyzer.

Log Analysis Tools

  • :scroll: APT Hunter - Threat hunting tool for windows event logs.
  • :axe: Chainsaw - Rapid searching and identification of threats in Windows event logs.
  • :lizard: Log Parser Lizard - GUI for Microsoft Logparser.
  • :memo: Sigma - Generic signatures for log events.
  • :mag: SysmonSearch - Web application to search event logs collected by Sysmon.


Incident Management

  • :rotating_light: Cyphon - Incident management and response platform.
  • :wolf: DFTimewolf - Tool for orchestrating forensic collection, processing, and data export.
  • :rocket: Fast Incident Response (FIR) - Cyber incident management platform.
  • :ticket: RTIR - Incident handling system.
  • :arrows_counterclockwise: Shuffle - General-purpose security automation platform.

Remote Management

  • :file_cabinet: WinSCP - Popular free SFTP and FTP client for Windows.
  • :satellite: Putty - Free SSH and telnet client for Windows.

System Monitoring

  • :card_index_dividers: Autoruns - Shows you what programs are configured to run during system bootup or login.
  • :male_detective: Procmon - Advanced monitoring tool for Windows.
  • :hammer_and_wrench: Process Hacker - Multi-purpose tool that helps you monitor system resources.
  • :memo: Regshot - Registry compare utility that takes snapshots.

:speech_balloon: Contribute to the Blue Team Tools List!
If you know of any other essential blue team tools or have feedback on the current list, we’d love to hear from you. Please share your suggestions below or directly contribute by editing the Wiki!
:open_book: How to Contribute?
:link: Check out our full resource masterlist