A curated list of open-source tools, datasets, sandboxes, scanning engines, and OSINT resources for cyber threat hunters, incident responders, DFIR analysts, and researchers.
This collection is designed to make investigation work easier by keeping high-value, free or community-driven resources in one place.
- Network Scanning & Exposure Mapping
- IP, ASN & Geolocation Intelligence
- Malware Analysis & Sandboxes
- Threat Feeds & IOC Sources
- DNS & Domain Intelligence
- Threat Actor Profiles & Frameworks
- OSINT & Digital Footprinting
- Routing, Certificates & Infrastructure Mapping
- Dark Web & Leak Monitoring
- Tools & Utilities
- Contributing
Tools that help identify exposed services, discover internet-facing infrastructure, and pivot across assets.
-
Censys — https://search.censys.io
Large-scale internet scanning for hosts, certs, and services. -
Shodan — https://www.shodan.io
Search engine for exposed devices, protocols, and vulnerabilities. -
modat.io — https://modat.io
Simple interface for identifying externally exposed services. -
urlscan.io — https://urlscan.io
Sandboxes URLs and displays redirects, network calls, and metadata. -
SecurityTrails — https://securitytrails.com
DNS history, IP metadata, and domain intelligence. -
OpenNIC Project
- Wiki: https://wiki.opennic.org/opennic/dot
- Servers: https://servers.opennic.org
Alternative DNS root servers and open DNS infrastructure.
-
Netlas — https://netlas.io
Internet indexing for DNS, certificates, and service enumeration. -
Rapid7 Project Sonar — https://opendata.rapid7.com/sonar.fdns_v2/
Open DNS and scanning datasets.
Helpful for attribution, routing analysis, enrichment, and network-level context.
-
Team Cymru IP-ASN Mapping — https://www.team-cymru.com/ip-asn-mapping
Accurate IP-to-ASN mapping and reputation lookups. -
IPStack — https://ipstack.com
IP geolocation, ASN, and risk scoring. -
IP2Location — https://www.ip2location.com
Geolocation and ISP metadata. -
bgp.tools — https://bgp.tools
BGP path, ASN visibility, and prefix insights. -
Hurricane Electric BGP Toolkit — https://bgp.he.net
Routing, ASN info, IX peering, and prefix analysis. -
PeeringDB — https://www.peeringdb.com
ASN peering, IXPs, and network operator data.
Detonation platforms for behavioral analysis, static inspection, and threat classification.
-
VirusTotal — https://www.virustotal.com
File, IP, URL scanning across multiple engines. -
Hybrid Analysis — https://www.hybrid-analysis.com
Dynamic sandbox analysis by CrowdStrike. -
Joe Sandbox — https://www.joesandbox.com
In-depth static and dynamic analysis. -
Triage — https://tria.ge
Malware detonation, clustering, and behavioral logs. -
ANY.RUN — https://any.run
Interactive real-time sandbox environment. -
Intezer Analyze — https://analyze.intezer.com
Code-reuse and “genetic” malware analysis. -
MalwareBazaar (Abuse.ch) — https://bazaar.abuse.ch
Public malware sample repository. -
CAPA — https://github.com/mandiant/capa
Detects malware capabilities in binaries.
Community-driven IOC collections for malware C2s, botnets, ransomware, and malicious infrastructure.
-
ThreatFox (Abuse.ch) — https://threatfox.abuse.ch
IPs, URLs, hashes, and malware indicators. -
Feodo Tracker (Abuse.ch) — https://feodotracker.abuse.ch
Qakbot, Dridex, and Feodo botnet tracking. -
Viriback Tracker — https://tracker.viriback.com
Botnet and malware infrastructure tracking. -
MalBeacon — https://malbeacon.com
Beaconing behavior detection and network telemetry. -
Ransomwatch — https://ransomwatch.telemetry.ltd/#/profiles
Ransomware leak site monitoring. -
RansomLook — https://www.ransomlook.io/groups
Ransomware group profiles and leak tracking. -
MISP Project — https://www.misp-project.org
Threat intel sharing platform used globally. -
OpenPhish — https://openphish.com
Free phishing IOC feed. -
PhishTank — https://phishtank.org
Community phishing URL verification.
Resolve infrastructure changes, pivot on DNS records, and explore domain history.
-
GreyNoise — https://www.greynoise.io
Noise vs targeted activity, IP reputation. -
PassiveDNS.info — https://www.passivedns.info
Historical DNS resolution data. -
DNSlytics — https://dnslytics.com
Reverse DNS, hosting metadata, and subdomains. -
ProjectDiscovery Chaos — https://chaos.projectdiscovery.io
Massive community DNS dataset. -
crt.sh — https://crt.sh
Certificate Transparency search for domain discovery. -
CertSpotter — https://sslmate.com/certspotter
CT log monitoring for new domain certificates.
-
MITRE ATT&CK — https://attack.mitre.org
Adversary TTP framework with techniques, groups, and software. -
APT Map — https://aptmap.net
Visualized APT relationships, campaigns, and activity. -
CrowdSec Threat Intelligence — https://crowdsec.net/threat-intelligence
Community IP reputation and attack telemetry.
Useful for identity research, infrastructure mapping, and investigations.
-
Hunter.io — https://hunter.io
Email enumeration and domain footprinting. -
Epieos — https://epieos.com
Email and account OSINT lookup. -
Have I Been Pwned — https://haveibeenpwned.com
Breach exposure lookup. -
GitHub Archive — https://www.gharchive.org
Developer activity and OSINT on code commits. -
Wayback Machine — https://archive.org/web
Historical snapshots of domains and infrastructure.
Tools for BGP, TLS fingerprinting, CT logs, and network-level pivoting.
-
CIRCL Certificate Search — https://www.circl.lu/services/certificate-search
Certificate metadata, SANs, and fingerprint pivoting. -
JA3 Fingerprinting — https://github.com/salesforce/ja3
TLS client fingerprinting. -
JARM — https://github.com/salesforce/jarm
TLS server fingerprinting. -
RIPEstat — https://stat.ripe.net
Routing history, visibility, and ASN analysis. -
Shadowserver — https://www.shadowserver.org/what-we-do/public-benefit-services/
Botnet, exposure, and security scans.
Some free, OSINT-safe resources exist for monitoring leaked data and Tor infrastructure.
-
dark.fail — https://dark.fail
Tor service status and verified links. -
Public BreachForum mirrors
Mirrors used for OSINT on leaked data (avoid criminal sites).
-
CyberChef — https://gchq.github.io/CyberChef
Universal data manipulation toolkit. -
ProjectDiscovery Tools — https://projectdiscovery.io
Recon and scanning tools (subfinder, nuclei, dnsx, httpx, etc.) -
OWASP Amass — https://github.com/owasp-amass/amass
Attack surface and subdomain enumeration. -
Hindsight / Dumpzilla
Browser forensics utilities.
Suggestions, PRs, and new tool recommendations are welcome!
Feel free to submit improvements or new resources.