This directory covers the best security tools across every major category, from free open-source tools used by security researchers globally to enterprise platforms. For each tool, we've noted real-world applicability so that security teams of any size can identify the right options for their environment and budget.
On this page
Network Security & Analysis
| Tool | Cost | Category | Key Use Case | Platform |
|---|---|---|---|---|
| Wireshark | Free (open source) | Packet Analysis | Deep packet inspection, protocol analysis, network troubleshooting and forensics | Windows/Linux/Mac |
| nmap | Free (open source) | Network Discovery | Port scanning, service detection, OS fingerprinting, scripting engine (NSE) | All platforms |
| Zeek (formerly Bro) | Free (open source) | Network Monitoring | Network traffic analysis, connection logging, scripted alert generation | Linux (Zeek + Elasticsearch) |
| Snort 3 | Free (open source) | IDS/IPS | Signature-based intrusion detection and prevention for network traffic | Linux |
| Suricata | Free (open source) | IDS/IPS | Multi-threaded IDS/IPS/NSM — outperforms Snort on multi-core systems. | Linux/FreeBSD |
| pfSense | Free (open source) | Firewall/Router | Full-featured open-source firewall/VPN gateway. Enterprise support from Netgate. | FreeBSD (dedicated hardware) |
Wireshark
- Cost
- Free (open source)
- Category
- Packet Analysis
- Key Use Case
- Deep packet inspection, protocol analysis, network troubleshooting and forensics
- Platform
- Windows/Linux/Mac
nmap
- Cost
- Free (open source)
- Category
- Network Discovery
- Key Use Case
- Port scanning, service detection, OS fingerprinting, scripting engine (NSE)
- Platform
- All platforms
Zeek (formerly Bro)
- Cost
- Free (open source)
- Category
- Network Monitoring
- Key Use Case
- Network traffic analysis, connection logging, scripted alert generation
- Platform
- Linux (Zeek + Elasticsearch)
Snort 3
- Cost
- Free (open source)
- Category
- IDS/IPS
- Key Use Case
- Signature-based intrusion detection and prevention for network traffic
- Platform
- Linux
Suricata
- Cost
- Free (open source)
- Category
- IDS/IPS
- Key Use Case
- Multi-threaded IDS/IPS/NSM — outperforms Snort on multi-core systems.
- Platform
- Linux/FreeBSD
pfSense
- Cost
- Free (open source)
- Category
- Firewall/Router
- Key Use Case
- Full-featured open-source firewall/VPN gateway. Enterprise support from Netgate.
- Platform
- FreeBSD (dedicated hardware)
Vulnerability Scanning
| Tool | Cost | Type | Best For |
|---|---|---|---|
| OpenVAS / Greenbone | Free (open source) | Network Vuln Scanner | Network-based vulnerability scanning; covers 50,000+ CVEs. Docker-deployable. |
| Nessus Essentials | Free (16 IPs) | Network Vuln Scanner | Same engine as paid Nessus. 16-host limit is restrictive but good for learning. |
| Nuclei (ProjectDiscovery) | Free (open source) | Template-based Scanner | Fast, community-driven template scanner. 9,000+ templates for CVEs, misconfigs, web vulns. |
| Nikto2 | Free (open source) | Web Application Scanner | Quick web server misconfiguration and outdated software scanning |
| OWASP ZAP | Free (open source) | DAST / Web App Pen Test | Active and passive web app scanning, API testing, CI/CD integration via Docker |
OpenVAS / Greenbone
- Cost
- Free (open source)
- Type
- Network Vuln Scanner
- Best For
- Network-based vulnerability scanning; covers 50,000+ CVEs. Docker-deployable.
Nessus Essentials
- Cost
- Free (16 IPs)
- Type
- Network Vuln Scanner
- Best For
- Same engine as paid Nessus. 16-host limit is restrictive but good for learning.
Nuclei (ProjectDiscovery)
- Cost
- Free (open source)
- Type
- Template-based Scanner
- Best For
- Fast, community-driven template scanner. 9,000+ templates for CVEs, misconfigs, web vulns.
Nikto2
- Cost
- Free (open source)
- Type
- Web Application Scanner
- Best For
- Quick web server misconfiguration and outdated software scanning
OWASP ZAP
- Cost
- Free (open source)
- Type
- DAST / Web App Pen Test
- Best For
- Active and passive web app scanning, API testing, CI/CD integration via Docker
SIEM & Log Management
| Tool | Cost | Self-Hosted? | EPS Capacity (Free) | Best For |
|---|---|---|---|---|
| Wazuh | Free + open source | Yes | Unlimited | Best free SIEM/XDR. File integrity monitoring, GDPR out-of-box, cloud integration. Highly recommended. |
| Elastic Security (SIEM) | Free basic tier | Yes | Resource-dependent | Full ELK stack SIEM. Excellent ML anomaly detection on paid tiers. High resource requirements. |
| Graylog Open | Free (open source) | Yes | Unlimited (resource-limited) | Simpler log management; better UX than ELK for basic deployment. Less security-specific than Wazuh. |
| Splunk Free | Free (500MB/day) | Yes | 500MB/day | Best commercial SIEM — industry standard. Free tier is learning/small home lab only. |
| Microsoft Sentinel | Consumption-based | Cloud (Azure) | Pay per GB | Best cloud SIEM for Azure/M365 environments. Native integration with Microsoft security products. |
Wazuh
- Cost
- Free + open source
- Self-Hosted?
- Yes
- EPS Capacity (Free)
- Unlimited
- Best For
- Best free SIEM/XDR. File integrity monitoring, GDPR out-of-box, cloud integration. Highly recommended.
Elastic Security (SIEM)
- Cost
- Free basic tier
- Self-Hosted?
- Yes
- EPS Capacity (Free)
- Resource-dependent
- Best For
- Full ELK stack SIEM. Excellent ML anomaly detection on paid tiers. High resource requirements.
Graylog Open
- Cost
- Free (open source)
- Self-Hosted?
- Yes
- EPS Capacity (Free)
- Unlimited (resource-limited)
- Best For
- Simpler log management; better UX than ELK for basic deployment. Less security-specific than Wazuh.
Splunk Free
- Cost
- Free (500MB/day)
- Self-Hosted?
- Yes
- EPS Capacity (Free)
- 500MB/day
- Best For
- Best commercial SIEM — industry standard. Free tier is learning/small home lab only.
Microsoft Sentinel
- Cost
- Consumption-based
- Self-Hosted?
- Cloud (Azure)
- EPS Capacity (Free)
- Pay per GB
- Best For
- Best cloud SIEM for Azure/M365 environments. Native integration with Microsoft security products.
Penetration Testing Tools
| Tool | Cost | Category | Use Case | Skill Level |
|---|---|---|---|---|
| Kali Linux | Free (open source) | Full OS | Debian-based distro with 600+ pre-installed security tools. Standard pentest OS. | All levels |
| Metasploit Framework | Free (open source) | Exploitation | Modular exploitation framework; largest module library; essential for pentest engagements | Intermediate+ |
| Burp Suite Community | Free / Pro £449/year | Web App Pen Test | Industry-standard proxy for intercepting and modifying web traffic. Community is free but limited. | Beginner+ |
| Gobuster / ffuf | Free (open source) | Web Fuzzing / Discovery | Directory brute-forcing, subdomain enumeration. ffuf is faster, more flexible than gobuster. | Beginner+ |
| BloodHound / SharpHound | Free (open source) | AD Attack Path Analysis | Active Directory attack graph analysis — identifies privilege escalation paths in AD environments. | Intermediate+ |
| CrackMapExec / NetExec | Free (open source) | AD Exploitation | SMB/WinRM lateral movement, password spraying, pass-the-hash in Windows environments | Intermediate+ |
| Hashcat | Free (open source) | Password Cracking | GPU-accelerated password hash cracking; supports 350+ hash types. Standard for offline cracking. | Intermediate |
Kali Linux
- Cost
- Free (open source)
- Category
- Full OS
- Use Case
- Debian-based distro with 600+ pre-installed security tools. Standard pentest OS.
- Skill Level
- All levels
Metasploit Framework
- Cost
- Free (open source)
- Category
- Exploitation
- Use Case
- Modular exploitation framework; largest module library; essential for pentest engagements
- Skill Level
- Intermediate+
Burp Suite Community
- Cost
- Free / Pro £449/year
- Category
- Web App Pen Test
- Use Case
- Industry-standard proxy for intercepting and modifying web traffic. Community is free but limited.
- Skill Level
- Beginner+
Gobuster / ffuf
- Cost
- Free (open source)
- Category
- Web Fuzzing / Discovery
- Use Case
- Directory brute-forcing, subdomain enumeration. ffuf is faster, more flexible than gobuster.
- Skill Level
- Beginner+
BloodHound / SharpHound
- Cost
- Free (open source)
- Category
- AD Attack Path Analysis
- Use Case
- Active Directory attack graph analysis — identifies privilege escalation paths in AD environments.
- Skill Level
- Intermediate+
CrackMapExec / NetExec
- Cost
- Free (open source)
- Category
- AD Exploitation
- Use Case
- SMB/WinRM lateral movement, password spraying, pass-the-hash in Windows environments
- Skill Level
- Intermediate+
Hashcat
- Cost
- Free (open source)
- Category
- Password Cracking
- Use Case
- GPU-accelerated password hash cracking; supports 350+ hash types. Standard for offline cracking.
- Skill Level
- Intermediate
Incident Response & Forensics
| Tool | Cost | Category | Key Use Case |
|---|---|---|---|
| Velociraptor | Free (open source) | DFIR / Endpoint Forensics | Digital forensics and incident response platform; live endpoint queries at enterprise scale |
| Autopsy | Free (open source) | Digital Forensics | GUI forensics platform built on The Sleuth Kit. Used by law enforcement worldwide. |
| Volatility3 | Free (open source) | Memory Forensics | De facto standard memory forensics framework; analyses RAM dumps for malware artefacts |
| TheHive + Cortex | Free (open source) | IR Case Management | Security incident case management platform; integrates with MISP and SIEM tools |
| MISP (Threat Sharing) | Free (open source) | Threat Intelligence | Malware Information Sharing Platform — share and receive IoCs with the global security community |
Velociraptor
- Cost
- Free (open source)
- Category
- DFIR / Endpoint Forensics
- Key Use Case
- Digital forensics and incident response platform; live endpoint queries at enterprise scale
Autopsy
- Cost
- Free (open source)
- Category
- Digital Forensics
- Key Use Case
- GUI forensics platform built on The Sleuth Kit. Used by law enforcement worldwide.
Volatility3
- Cost
- Free (open source)
- Category
- Memory Forensics
- Key Use Case
- De facto standard memory forensics framework; analyses RAM dumps for malware artefacts
TheHive + Cortex
- Cost
- Free (open source)
- Category
- IR Case Management
- Key Use Case
- Security incident case management platform; integrates with MISP and SIEM tools
MISP (Threat Sharing)
- Cost
- Free (open source)
- Category
- Threat Intelligence
- Key Use Case
- Malware Information Sharing Platform — share and receive IoCs with the global security community
Building a Free SOC Stack
- 1
Log collection — deploy Wazuh agents on all endpoints and servers
Wazuh provides free SIEM + XDR + file integrity monitoring + GDPR compliance reports out of the box. Deploy the Wazuh server on a VM with 4GB RAM minimum; agents are lightweight (~50MB RAM).
- 2
Network monitoring — deploy Suricata inline or as a SPAN tap
Configure Suricata with the Emerging Threats ruleset and send alerts to Wazuh via the Wazuh syslog integration. This gives you IDS coverage without additional cost.
- 3
Threat intelligence — integrate MISP with Wazuh
Pull IoC feeds from MISP into Wazuh to alert when known-bad IPs, hashes, or domains appear in your logs. MISP's default feeds include abuse.ch, Circl, and others.
- 4
Vulnerability management — run OpenVAS weekly scans
Schedule weekly Greenbone/OpenVAS scans against all internal host ranges. Alert on new critical/high vulnerabilities via email or Slack webhook.
- 5
Response — deploy TheHive for case management
Integrate TheHive with Wazuh via the API. When Wazuh fires a critical alert, automatically create a TheHive case for the analyst to investigate, time-track, and close.
Total cost of this SOC stack: £0 in licensing
Infrastructure costs apply (a £30/month Hetzner server handles Wazuh + Suricata for small-medium environments). The tooling is production-grade and used by banks, governments, and MSSPs globally.