Linux Security Tools (Top 100)
Based on reviews and automated analysis, these are currently the best Linux security tools. This list is populated with tools that are publicly available. It is updated weekly and a great way to learn about new tools. Add them to your tool box!
Lynis (system security scan)
Security auditing tool for systems running Linux or Unix-based to perform an in-depth health check.
Cyphon (incident management and response platform)
Cyphon is an incident management and response platform to deal with incoming alerts and messages. It is multi-purpose and can be used for information security.
Suricata (network IDS, IPS and monitoring)
Network threat detection engine that acts as intrusion detection (IDS), inline intrusion prevention (IPS), and network security monitoring (NSM)
osquery (operating system query tool)
The osquery tool allows querying your Linux, Windows, and macOS infrastructure. It can help with intrusion detection, infrastructure reliability, or compliance.
Social-Engineer Toolkit (social engineering toolkit)
The Social-Engineer Toolkit (SET) is an open source penetration testing framework. It helps with assignments that require social engineering.
THC Hydra (password discovery)
THC Hydra is a brute-force cracking tool for remote authentication services. It supports many protocols, including telnet, FTP, LDAP, SSH, SNMP, and others.
WPScan (WordPress vulnerability scanner)
WPScan is a security tool to perform black box WordPress vulnerability scans, including enumeration of used plugins
BetterCAP (MitM tool and framework)
BetterCAP is a complete, modular, portable and easily extensible MitM tool and framework. It is maintained well and appreciated by many.
IVRE (reconnaissance for network traffic)
IVRE is a framework to perform reconnaissance for network traffic. It leverages other tools to pull in the data and show it in the web interface.
vFeed (vulnerability database and query engine)
vFeed is a set of tools around correlated vulnerability and threat intelligence. It provides a database, API, and supporting tools to store vulnerability data.
Hashcat (password recovery tool)
Hashcat is a well-known tool to crack passwords. It has advanced features to improve performance, allow session resumption, and more.
Veil Framework (Metasploit payload generator)
Veil is a security tool designed to generate payloads for Metasploit that help in bypassing common anti-virus solutions.
ZAP (web application analysis)
The OWASP Zed Attack Proxy (ZAP) helps to find security vulnerabilities in web applications during development and testing.
Anchore (container analysis, inspection, and control)
Vault (storage of secrets)
Vault is a tool created by HashiCorp to store secrets like keys and passwords. These secrets are typically used by other software components and scripts.
SpiderFoot is an open source intelligence automation tool (OSINT). It automates the process of gathering intelligence, like IP addresses, domains, and networks.
Fail2ban (log parser and blocking utility)
Fail2Ban is an intrusion prevention software framework that protects computer servers from brute-force attacks
Seccubus (automation of vulnerability scanning)
Seccubus automates vulnerability scanning with support for Nessus, OpenVAS, NMap, SSLyze, Medusa, SkipFish, OWASP ZAP, and SSLlabs.
O-Saft (OWASP SSL audit for testers)
O-Saft is a security tool to show information about SSL certificates. It tests the SSL connection with the given list of ciphers and configuration.
Commix (command injection tool for web applications)
Commit is a security tool to test web applications and find vulnerabilities related to command injection attacks. It can be used during security assignments.
LMD (malware detection tool)
Linux Malware Detect (LMD) is a malware scanner for systems running Linux. The open source software project is released with the GPLv2 license.
radare2 (reverse engineering tool and binary analysis)
radare2 is a tool to perform reverse engineering on files of all types. It can be used to analyze malware, firmware, or any other type of binary files.
YARA (malware identification and classification)
YARA is a security tool to help malware researchers to identify and classify malware samples. For example by defining malware families based on patterns.
LIEF (library for analysis of executable formats)
LIEF is a library to analyze executable formats like ELF, MachO, and PE. It can be used during reverse engineering, binary analysis, and malware research.
Bro (network security monitoring tool)
Bro is a network security monitoring tool (NSM) and helps with monitoring. It can also play an active rol in performing forensics and incident response.
KeePassXC (cross-platform password manager)
KeePassXC is a cross-platform platform to store sensitive data like passwords, keys, and other secrets. It has a graphical user interface and is written in C++.
OpenStego (steganography tool)
OpenStego is a free steganography solution to hide data in other files like images, or add a watermark to them.
mitmproxy (TLS/SSL traffic interception)
The mitmproxy tool allows to intercept, inspect, modify, and replay traffic flows. It may be used for pentesting, troubleshooting, or learning about SSL/TLS.
The sqlmap performs automatic SQL injection and can take over a database. It is a valued tool for pentesters and those who want to test their web applications.
Arachni (web application scanner)
Web Application Security Scanner aimed towards helping users evaluate the security of web applications
Cuckoo Sandbox (malware analysis tool)
Cuckoo Sandbox is a malware analysis system. By feeding it suspicious files, Cuckoo can provide detailed findings on what a file did and how it behaved.
WordPress Exploit Framework (WordPress exploiting toolkit)
The WordPress Exploit Framework (WPXF) is a framework written in Ruby. As the name implies, it aids in pentesting WordPress installations.
Loki (file scanner to detect indicators or compromise)
Loki is security tool to find so-called indicators of compromise (IOC). It does this by scanning files and then uses pattern matching.
Brakeman (static code analyzer for Ruby on Rails)
Brakeman is a static code analysis tool for Ruby on Rails to perform a security review. It comes as an open source project with optional commercial support.
Nmap is a security scanner that can perform a port scan, network exploration, and determine vulnerabilities
Cowrie (SSH/telnet honeypot)
Cowrie is a honeypot to emulate SSH and telnet services. It can be used to learn attack methods and as an additional layer for security monitoring.
SNARE (web application honeypot)
SNARE is a reactive honeypot for security research, detecting attacks, and respond to possible flaws within your environment. It is the successor of Glastopf.
ntopng is the successor of the original ntop utility. It shows network usage by capturing traffic and provide insights on the usage.
BleachBit (system cleaner and privacy tool)
BleachBit is an open source tool focused on maintaining your privacy by cleaning up sensitive data on the system.
The Sleuth Kit is a toolkit to investigate disk images and do forensic analysis on them.
Wireshark (network traffic analyzer)
Wireshark is the well-known network protocol analyzer. It allows you to see what is happening on the network and zoom into the details of the network protocols.
DataSploit (OSINT framework)
DataSploit is a framework to perform intelligence gather to discover credentials, domain information, and other information related to the target.
UPX (executable packer)
UPX is tool to pack several executable formats. It is free, portable, and extendable, and well-known.
ClamAV (malware scanner)
ClamAV is an open source antivirus engine. It can detect malicious software (malware) like trojans, viruses, backdoors and other related threats.
Volatility (memory forensics framework)
Volatile memory framework used for forensics and analysis purposes. The framework is written in Python and runs on almost all platforms.
SIMP (system integrity and configuration enforcement)
SIMP is short for System Integrity Management Platform. It is a project maintained by the NSA and released as an open source project.
mongoaudit (audit tool for MongoDB databases)
Mongoaudit performs a security audit on MongoDB instances. It can be used to test if the right security measures are taken and detect room for improvement.
OWTF (offensive web testing framework)
The OWTF project (Offensive Web Testing Framework) unites tools for penetrating testing. Most parts are written in Python.
Lemur (certificate management)
Lemur manages TLS certificate creation and the underlying process that is required. It acts as a broker between a certificate authority (CA) and the environment
Vuls (agentless vulnerability scanner)
Vuls is a vulnerability scanner for Linux and FreeBSD. It is written in Go, agentless, and does a remote login to find any software vulnerabilities.
OpenSCAP (suite with tools and security data)
Tools to assist administrators and auditors with assessment, measurement and enforcement of security baselines
Ruler (Exchange pentest tool)
Ruler is a security tool that interacts with Exchange servers remotely. It uses either the MAPI/HTTP or RPC/HTTP protocol, with the goal to gain a remote shell.
ATSCAN (search (dork) scanner for mass exploitation)
ATSCAN is a security tool to perform a mass exploitation scan on search engines. It discovers targets that may be susceptible to exploitation.
TANNER (intelligence engine for SNARE tool)
TANNER is the 'brain' of the SNARE tool. It evaluates its events and alters the responses to incoming requests depending on the type of attacks.
HoneyPy is a low interaction honeypot written in Python, yet has additional capabilities. Plugins can be created to emulate services that run on UDP or TCP.
SSLyze (SSL/TLS server scanning library)
SSLyze provides a library for scanning services that use SSL/TLS for encrypted communications. It can be used to test their implementation.
Assimilator (firewall orchestration tool)
Assimilator is a firewall orchestration tool. It allows configuration and automation of firewall rules by proxy requests to different types of firewalls.
Detective (detect information disclosure and data exposure)
Detective helps to find information that you are not supposed to see. It focuses on information disclosure and sensitive data exposure vulnerabilities.
django-axes (track failed login attempts for Django)
Django-axes is a reusable app for Django to limit the brute force login attempts for your web application.
ssh_scan (SSH configuration scanner)
The ssh_scan utility is a SSH configuration and policy scanner maintained by the Mozilla Foundation. It helps to secure Linux systems running the OpenSSH.
Prowler (AWS CIS Benchmark Tool)
Prowler is a security tool to perform security audits on AWS configurations. It helps to find configuration flaws and improve system hardening.
HoneyPi (honeypot on the Raspberry Pi)
HoneyPi is a tool to turn a Raspberry Pi into a honeypot. It can be used to learn about any network scanning activity and take actions.
arping (ARP scanner)
arping is a tool for the discovery of hosts on a computer network using the Address Resolution Protocol (ARP).
Passmgr (password manager)
Passmgr is a simple portable password manager written in Go. It helps with storing secrets, like passwords and API keys.
Belati (OSINT tool)
Belati is security tool to collect public data and information and calls itself a Swiss army knife for OSINT purposes.
Findsploit (exploit search tool)
Findsploit is a simple script to search both local and online exploit databases. Typically this is used by penetration testers during a security assignment.
APT2 (automation of pentest tasks)
APT2 is a tool written by Adam Compton and Austin Lane to help pentesters automate mundane scanning tasks. It leverages scan results from Nexpose, Nessus, or Nm
hsecscan (website headers extraction)
hsecscan performs a security scan of a website and analyses any discovered HTTP headers. For each header, it will provide details and recommendations.
bane (AppArmor profile generator)
The bane tool is an AppArmor profile generator for Docker containers. It helps with creating the appropriate profile for confinement on system level.
WPForce (WordPress scanner and exploiter)
WPForce is a suite of tools to attack Wordpress installations. One part focuses on brute forcing logins, the other to upload a shell upon finding credentials.
Masscan (high-performance port scanner)
Masscan is a security tool to perform a network scan for many systems at once. It is optimized asynchronous transmissions to achieve its performance.
Security Monkey (security monitoring tool)
Security Monkey monitors AWS and GCP accounts for policy changes and alerts on insecure configurations.
OpenVAS (vulnerability scanner)
OpenVAS is a framework of several services and tools offering a vulnerability scanning and vulnerability management solution.
Xplico (network traffic analyzer)
Xplico is a forensics analysis tool to investigate the traffic patterns in a pcap file. It is released as a GPL project, with some scripts under a CC license.
BoopSuite (wireless security testing tool)
BoopSuite a wireless pentesting suite to perform security auditing and test wireless networks. It can be used for penetration tests and security assignments.
swap_digger (data excavation tool for Linux swap)
The swap_digger tool helps with extracting sensitive data from a mounted swap partition. It can be used for forensics, post exploitation, or data discovery.
pwdlyser (Password analysis and reporting tool)
The pwdlyser tool can help during penetration tests and security assignments to analyze cracked passwords and their strength.
pshtt (domain scanner for HTTPS usage)
pshtt is a security tool to scan domains for the usage of HTTPS and applying best practices in their web configuration.
addrwatch (monitoring of ARP and IP addresses)
Addrwatch is a tool similar to arpwatch to monitor IPv4/IPv6 and ethernet address pairing.
Scout2 (Security auditing tool for AWS)
Scout2 is a security tool to assess the security of an AWS environment. It can be used for system hardening and IT audits.
Confidant (storage of secrets)
boofuzz (fuzzing framework)
Boofuzz is a fork of Sulley fuzzing framework after its maintenance dropped. Besides numerous bug fixes, boofuzz aims for extensibility.
Leviathan Framework (mass audit toolkit)
Leviathan is a security tool to provide a wide range of services including service discovery, brute force, SQL injection detection, and exploit capabilities.
django-defender (defender against brute force login attempts)
Django-defender is a reusable app for Django that blocks people from performing brute forcing login attempts.
Gitrob (discovery of sensitive data in repositories)
Gitrob is a security tool to find sensitive information on GitHub. During the audit, it may detect passwords, API keys, or other secrets.
USB Canary (device monitoring)
USB Canary monitors the devices on a system for the addition or removal of USB devices. On such an event, then an alert will be sent.
Kitty (fuzzing framework)
Kitty is a modular and extensible fuzzing framework written in Python. It is inspired by OpenRCE's Sulley and Michael Eddington's Peach Fuzzer tool.
changeme (credential scanner)
The tool changeme is a credential scanner for default usernames and passwords, or common combinations of these.
Rootkit Hunter (malware scanner)
Security tool to search for traces of rootkits, backdoors, and other malicious components on systems running Linux and other flavors of Unix
OSSEC (host-based intrusion detection system)
OSSEC is an open source host-based intrusion detection system (HIDS). It performs log analysis, integrity checking, rootkit detection, and more.
Cppcheck (static code analyzer)
Cppcheck is a static code analysis tool for C and C++ code. It helps to discover bugs that would not be picked up by compilers, yet avoid any false positives.
chkrootkit (malware scanner)
chkrootkit is a malware scanner to locally check for signs of a rootkit. It is written in shell script and runs on the host system itself.
nftables (network traffic filtering)
nftables is a subsystem of the Linux kernel to filter and classify network traffic and supposed to replace netfilter.
DBShield (database security shield)
DBShield is a gateway between an application and actual database engine. Its goal is to protect against SQL injections and other database attacks.
Vulnreport (security review and reporting platform)
Vulnreport is a tool to automate and manage all the data involved security reviews. In particular, it focuses on discovered vulnerabilities.
THC IPv6 Attack Toolkit (attack toolkit for IPv6 protocol)
THC IPv6 attack toolkit a set of utilities. It can be used for penetrating testing and security assessments of correct network implementations.
Douane (application firewall)
Douane is an application firewall that interacts with the user to allow or deny new network connections.
XSS Hunter (Cross-site scripting scanner)
XSS Hunter helps with finding XSS attacks and trigger a warning when one is succesful. It exists as an online service, or self-hosted installation.
sslsniff (SSL traffic sniffing)
The sslsniff tool helps with performing man-in-the-middle (MitM) attacks on SSL/TLS traffic. It can be used for security assignments.
DarkJPEG (open source steganography web service)
DarkJPEG is an open source steganography web service. It can hide data, which gets hidden in a JPEG. All with anonymity and plausible deniability in mind.
Want to learn about new tools when we add them? Follow the RSS feed, or social media. See the footer of this page for the links.