diff --git a/public/arf.json b/public/arf.json index c33c3b17..bf13b24e 100644 --- a/public/arf.json +++ b/public/arf.json @@ -18659,321 +18659,451 @@ "name": "Analyst Research Tools", "type": "url", "url": "https://analystresearchtools.com" - } - ] - }, - { - "name": "Graph Visualization", - "type": "folder", - "children": [ + }, { - "name": "MIDINS TITAN", + "name": "Theresearch (T)", "type": "url", - "url": "https://github.com/Med0-n/Midins_Titan-Osint_Tool" - } - ] - }, - { - "name": "Pentesting Recon", - "type": "folder", - "children": [ + "url": "https://github.com/estebanpdl/theresearch", + "description": "Open-source OSINT framework that automates research workflows and data collection", + "status": "live", + "pricing": "free", + "bestFor": "Automated OSINT research and workflow orchestration", + "input": "Research queries and targets", + "output": "Structured OSINT data and research reports", + "opsec": "active", + "opsecNote": "Automated requests; monitor data sensitivity", + "localInstall": true, + "googleDork": false, + "registration": false, + "editUrl": false, + "api": false, + "invitationOnly": false, + "deprecated": false + }, { - "name": "Low Hanging Fruit (T)", + "name": "Shodan CLI (T)", "type": "url", - "url": "https://github.com/blindfuzzy/LHF" - } - ] - }, - { - "name": "Virtual Machines", - "type": "folder", - "children": [ + "url": "https://cli.shodan.io/", + "description": "Command-line interface for Shodan searches with scripting capabilities for batch reconnaissance", + "status": "live", + "pricing": "freemium", + "bestFor": "Automated Shodan queries and batch IP/port discovery", + "input": "Shodan queries and search filters", + "output": "Device information, open ports, vulnerabilities", + "opsec": "active", + "opsecNote": "Queries are logged; free tier has limited queries", + "localInstall": true, + "googleDork": false, + "registration": true, + "editUrl": false, + "api": true, + "invitationOnly": false, + "deprecated": false + }, { - "name": "VMware Workstation Player (T)", + "name": "OSINT VM (T)", "type": "url", - "url": "https://www.vmware.com/products/player/playerpro-evaluation.html" + "url": "https://github.com/osintvm/osint", + "description": "Pre-configured virtual machine with hundreds of free OSINT tools pre-installed", + "status": "live", + "pricing": "free", + "bestFor": "Rapid OSINT toolkit deployment without individual tool installation", + "input": "VM deployment and tool configuration", + "output": "Complete OSINT environment with integrated tools", + "opsec": "passive", + "opsecNote": "VM-based; isolation protects host system", + "localInstall": true, + "googleDork": false, + "registration": false, + "editUrl": false, + "api": false, + "invitationOnly": false, + "deprecated": false }, { - "name": "VirtualBox (T)", + "name": "VirusTotal (T)", "type": "url", - "url": "https://www.virtualbox.org/" + "url": "https://www.virustotal.com/", + "description": "Free malware/URL/IP analysis service supporting file uploads, hash lookups, and URL scanning with 70+ antivirus engines", + "status": "live", + "pricing": "free", + "bestFor": "Malicious file and URL detection without registration", + "input": "File hash, file upload, URL, or IP address", + "output": "Antivirus scan results, threat classification, and related file information", + "opsec": "active", + "opsecNote": "Uploaded files are scanned and visible to other users; hash-only lookups are safer", + "localInstall": false, + "googleDork": false, + "registration": false, + "editUrl": false, + "api": true, + "invitationOnly": false, + "deprecated": false }, { - "name": "Buscador OS (T)", + "name": "URLhaus (T)", "type": "url", - "url": "https://inteltechniques.com/buscador/index.html" + "url": "https://urlhaus.abuse.ch/", + "description": "Free database of malicious URLs and associated threats contributed by security researchers and automated feeds", + "status": "live", + "pricing": "free", + "bestFor": "Checking URLs for known malware associations", + "input": "URL or domain", + "output": "Threat classification, associated payloads, and host information", + "opsec": "passive", + "opsecNote": "Query-based only; no contact with target", + "localInstall": false, + "googleDork": false, + "registration": false, + "editUrl": false, + "api": true, + "invitationOnly": false, + "deprecated": false }, { - "name": "Kali Linux OS (T)", + "name": "PhishTank (T)", "type": "url", - "url": "https://www.kali.org/" + "url": "https://www.phishtank.com/", + "description": "Community-driven database of phishing URLs with verification and reporting features", + "status": "live", + "pricing": "free", + "bestFor": "Phishing URL detection and threat intelligence", + "input": "Suspicious URL", + "output": "Phishing threat status and community verification", + "opsec": "passive", + "opsecNote": "Passive database lookup", + "localInstall": false, + "googleDork": false, + "registration": false, + "editUrl": false, + "api": true, + "invitationOnly": false, + "deprecated": false }, { - "name": "ParrotSec OS (T)", + "name": "Have I Been Pwned (T)", "type": "url", - "url": "https://www.parrotsec.org/" + "url": "https://haveibeenpwned.com/", + "description": "Free public database of breached credentials searchable by email address or password with notification service", + "status": "live", + "pricing": "free", + "bestFor": "Checking if email/password appears in known breaches", + "input": "Email address or password", + "output": "Breach database matches and exposure details", + "opsec": "passive", + "opsecNote": "Searches only operate via HTTPS; consider privacy implications of sharing emails", + "localInstall": false, + "googleDork": false, + "registration": false, + "editUrl": false, + "api": true, + "invitationOnly": false, + "deprecated": false }, { - "name": "Microsoft Edge Development OS VMs (T)", + "name": "Dehashed (T)", "type": "url", - "url": "https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/" + "url": "https://www.dehashed.com/", + "description": "Free breach database search tool for finding exposed credentials and data across multiple breaches", + "status": "live", + "pricing": "freemium", + "bestFor": "Searching multiple breach databases simultaneously", + "input": "Email, username, password, or domain", + "output": "Breach records with exposed data details", + "opsec": "active", + "opsecNote": "Searches are logged; premium features provide more detailed results", + "localInstall": false, + "googleDork": false, + "registration": true, + "editUrl": false, + "api": true, + "invitationOnly": false, + "deprecated": false }, { - "name": "Subgraph OS (T)", + "name": "SpiderFoot (T)", "type": "url", - "url": "https://subgraph.com/index.en.html" + "url": "https://github.com/smicallef/spiderfoot", + "description": "Open-source OSINT automation platform that aggregates data from many modules for domains, IPs, emails, and names.", + "status": "live", + "pricing": "free", + "bestFor": "Automated multi-source reconnaissance and pivoting", + "input": "Domain, IP, email, username, or person/entity", + "output": "Linked entities, infrastructure indicators, and investigation graphs", + "opsec": "active", + "opsecNote": "Automated module queries can generate observable traffic against third-party sources.", + "localInstall": true, + "googleDork": false, + "registration": false, + "editUrl": false, + "api": true, + "invitationOnly": false, + "deprecated": false }, { - "name": "Tails Live OS (T)", + "name": "theHarvester (T)", "type": "url", - "url": "https://tails.boum.org/" + "url": "https://github.com/laramies/theHarvester", + "description": "Open-source reconnaissance tool for collecting emails, subdomains, hosts, employee names, and open ports from public sources.", + "status": "live", + "pricing": "free", + "bestFor": "Email and subdomain enumeration from public intelligence sources", + "input": "Domain name, company name, and data source selection", + "output": "Emails, hosts, subdomains, and related metadata", + "opsec": "active", + "opsecNote": "Source queries may be rate-limited or logged by providers.", + "localInstall": true, + "googleDork": false, + "registration": false, + "editUrl": false, + "api": true, + "invitationOnly": false, + "deprecated": false }, { - "name": "Whonix (T)", + "name": "Recon-ng (T)", "type": "url", - "url": "https://www.whonix.org/wiki/Main_Page" + "url": "https://github.com/lanmaster53/recon-ng", + "description": "Open-source modular web reconnaissance framework with workspace support, reporting, and automation modules.", + "status": "live", + "pricing": "free", + "bestFor": "Structured reconnaissance workflows with reusable modules", + "input": "Targets and module configurations", + "output": "Recon datasets, relational records, and exportable reports", + "opsec": "active", + "opsecNote": "Module traffic depends on selected data providers and APIs.", + "localInstall": true, + "googleDork": false, + "registration": false, + "editUrl": false, + "api": true, + "invitationOnly": false, + "deprecated": false + }, + { + "name": "Maigret (T)", + "type": "url", + "url": "https://github.com/soxoj/maigret", + "description": "Open-source username search tool for finding accounts across many websites with extensible site definitions.", + "status": "live", + "pricing": "free", + "bestFor": "Username footprint discovery and identity correlation", + "input": "Username", + "output": "Profile matches, links, and confidence indicators", + "opsec": "active", + "opsecNote": "Performs numerous web checks that may be logged by target services.", + "localInstall": true, + "googleDork": false, + "registration": false, + "editUrl": false, + "api": false, + "invitationOnly": false, + "deprecated": false + }, + { + "name": "Holehe (T)", + "type": "url", + "url": "https://github.com/megadose/holehe", + "description": "Open-source tool that checks if an email is used on many websites via password reset and signup workflow analysis.", + "status": "live", + "pricing": "free", + "bestFor": "Email account presence checks across online services", + "input": "Email address", + "output": "Service-by-service email existence indicators", + "opsec": "active", + "opsecNote": "Automated checks can trigger rate limits or anti-automation controls.", + "localInstall": true, + "googleDork": false, + "registration": false, + "editUrl": false, + "api": false, + "invitationOnly": false, + "deprecated": false } ] }, { - "name": "Wordlist", + "name": "Free Network & Infrastructure Tools", "type": "folder", "children": [ { - "name": "CeWL (T)", + "name": "Nmap (T)", "type": "url", - "url": "https://github.com/digininja/CeWL" + "url": "https://nmap.org/", + "description": "Free, open-source network scanner for host discovery, port scanning, service detection, and network enumeration", + "status": "live", + "pricing": "free", + "bestFor": "Network reconnaissance, port scanning, version detection", + "input": "Target IP range or hostname", + "output": "Open ports, services, OS fingerprints, traceroute information", + "opsec": "active", + "opsecNote": "Active scanning generates network traffic and will appear in target logs", + "localInstall": true, + "googleDork": false, + "registration": false, + "editUrl": false, + "api": false, + "invitationOnly": false, + "deprecated": false }, { - "name": "Cupp (T)", + "name": "Wireshark (T)", "type": "url", - "url": "https://github.com/Mebus/cupp" + "url": "https://www.wireshark.org/", + "description": "Free network protocol analyzer for capturing and inspecting packet data in real-time or from files", + "status": "live", + "pricing": "free", + "bestFor": "Network traffic analysis, protocol debugging, packet inspection", + "input": "Network interface or PCAP file", + "output": "Detailed packet information, protocol dissection, traffic patterns", + "opsec": "passive", + "opsecNote": "Local packet capture tool; analyze only traffic you own or have permission to inspect", + "localInstall": true, + "googleDork": false, + "registration": false, + "editUrl": false, + "api": false, + "invitationOnly": false, + "deprecated": false }, { - "name": "OWASP D4N155 (T)", + "name": "Zenmap (T)", "type": "url", - "url": "https://github.com/OWASP/D4N155" + "url": "https://nmap.org/zenmap/", + "description": "Official graphical interface for Nmap with visual network topology mapping and scan result comparison", + "status": "live", + "pricing": "free", + "bestFor": "User-friendly Nmap scanning with visual topology representation", + "input": "Target IP range, hostname, or saved Nmap results", + "output": "Visual network map, scan results, topology graphs", + "opsec": "active", + "opsecNote": "Same scanning behavior as Nmap; generates active network traffic", + "localInstall": true, + "googleDork": false, + "registration": false, + "editUrl": false, + "api": false, + "invitationOnly": false, + "deprecated": false }, { - "name": "W Generator", + "name": "ExifTool (T)", "type": "url", - "url": "https://app.wgen.io/" - } - ] - }, - { - "name": "Paterva / Maltego (T)", - "type": "url", - "url": "https://www.maltego.com/", - "description": "Visual link analysis tool for mapping relationships between people, companies, domains, and infrastructure.", - "status": "live", - "pricing": "freemium", - "bestFor": "Link analysis, relationship mapping, entity correlation", - "input": "Domain, email, IP, name, phone number", - "output": "Entity relationship graph, linked records, transform results", - "opsec": "active", - "opsecNote": "Transforms may query targets directly. Some data sources log lookups.", - "localInstall": true, - "googleDork": false, - "registration": true, - "editUrl": false, - "api": true, - "invitationOnly": false, - "deprecated": false - }, - { - "name": "Overview", - "type": "url", - "url": "https://www.overviewdocs.com/" - }, - { - "name": "Online Nikto scanner", - "type": "url", - "url": "https://nikto.online/" - } - ] - }, - { - "name": "AI Tools", - "type": "folder", - "children": [ - { - "name": "AI or Not", - "type": "url", - "url": "https://www.aiornot.com/" - }, - { - "name": "Copyleaks", - "type": "url", - "url": "https://copyleaks.com/" - }, - { - "name": "Decopy AI Image Detector", - "type": "url", - "url": "https://decopy.ai/ai-image-detector/" - }, - { - "name": "DeepAI AI Image Detector", - "type": "url", - "url": "https://deepai.org/ai-image-detector" - }, - { - "name": "DeepSeek", - "type": "url", - "url": "https://www.deepseek.com/" - }, - { - "name": "DocMind AI", - "type": "url", - "url": "https://github.com/BjornMelin/docmind-ai-llm" - }, - { - "name": "DuckDuckGo AI Chat", - "type": "url", - "url": "https://duckduckgo.com/aichat" - }, - { - "name": "GPTZero", - "type": "url", - "url": "https://gptzero.me/" - }, - { - "name": "Grammarly AI Detector", - "type": "url", - "url": "https://www.grammarly.com/ai-detector" - }, - { - "name": "Hive AI Generated Content Detection", - "type": "url", - "url": "https://hivemoderation.com/ai-generated-content-detection" - }, - { - "name": "Hugging Face AI Detector", - "type": "url", - "url": "https://huggingface.co/spaces/umm-maybe/AI_Detector" - }, - { - "name": "Illuminarty", - "type": "url", - "url": "https://app.illuminarty.ai/" - }, - { - "name": "Microsoft Copilot", - "type": "url", - "url": "https://copilot.microsoft.com/" - }, - { - "name": "Ollama", - "type": "url", - "url": "https://ollama.com/" - }, - { - "name": "OSINT Analyser", - "type": "url", - "url": "https://github.com/joestanding/osint-analyser" - }, - { - "name": "TrueMedia", - "type": "url", - "url": "https://www.truemedia.org/" - }, - { - "name": "WasItAI", - "type": "url", - "url": "https://wasitai.com/" - }, - { - "name": "World Monitor", - "type": "url", - "url": "https://www.worldmonitor.app/" - }, - { - "name": "You.com", - "type": "url", - "url": "https://you.com/" - } - ] - }, - { - "name": "Malicious File Analysis", - "type": "folder", - "children": [ - { - "name": "Search", - "type": "folder", - "children": [ + "url": "https://exiftool.org/", + "description": "Free command-line utility for reading and writing metadata from files including images, PDFs, and documents", + "status": "live", + "pricing": "free", + "bestFor": "Extracting location, camera, and document metadata", + "input": "Image file, PDF, or document", + "output": "EXIF data, creation timestamps, GPS coordinates, Author information", + "opsec": "passive", + "opsecNote": "Local metadata extraction; no external communication", + "localInstall": true, + "googleDork": false, + "registration": false, + "editUrl": false, + "api": false, + "invitationOnly": false, + "deprecated": false + }, { - "name": "Decalage Malware Search", + "name": "Tor Browser (T)", "type": "url", - "url": "https://decalage.info/en/mwsearch", - "description": "Custom metasearch engine that indexes malware analysis databases to find malware samples containing specific strings, filenames, hashes, or IOCs.", + "url": "https://www.torproject.org/download/", + "description": "Free browser bundle providing privacy and anonymity through the Tor network with built-in security features", "status": "live", "pricing": "free", - "bestFor": "Quick metasearch across multiple malware analysis databases by hash, string, or filename", - "input": "IOC (hash, filename, string, yara rule, VT hash)", - "output": "Links to malware analysis reports from aggregated databases", + "bestFor": "Anonymous web browsing and accessing hidden services", + "input": "Standard browser usage", + "output": "Anonymous internet connection through Tor relays", "opsec": "passive", - "opsecNote": "Search-only interface; no account required; queries are directed to indexed databases", - "localInstall": false, + "opsecNote": "Anonymous browsing; slower but protects identity and location", + "localInstall": true, "googleDork": false, "registration": false, - "editUrl": true, + "editUrl": false, "api": false, "invitationOnly": false, "deprecated": false }, { - "name": "VirusShare.com", + "name": "Masscan (T)", "type": "url", - "url": "https://virusshare.com/", - "description": "Repository of 111+ million live malware samples provided for security researchers, incident responders, forensic analysts, and researchers.", + "url": "https://github.com/robertdavidgraham/masscan", + "description": "Open-source high-speed network scanner for large-scale TCP port discovery.", "status": "live", "pricing": "free", - "bestFor": "Bulk access to malware sample collections for research and analysis", - "input": "MD5 hash, account credentials", - "output": "Malware sample files (zip archives, password protected), related IOCs", - "opsec": "passive", - "opsecNote": "Registration required; no direct execution occurs; passive hash lookup available", - "localInstall": false, + "bestFor": "Internet-scale or large-range port scanning", + "input": "Target IP ranges and port sets", + "output": "Open port results and scan timing data", + "opsec": "active", + "opsecNote": "Aggressive scanning creates high-volume traffic and clear detection signals.", + "localInstall": true, "googleDork": false, - "registration": true, - "editUrl": true, + "registration": false, + "editUrl": false, "api": false, "invitationOnly": false, "deprecated": false }, { - "name": "#totalhash", + "name": "OWASP Amass (T)", "type": "url", - "url": "https://totalhash.cymru.com/", - "description": "Malware Hash Registry that searches against 30+ antivirus databases to validate malware hashes with detection percentage results. Updated daily.", + "url": "https://github.com/owasp-amass/amass", + "description": "Open-source network mapping and attack surface discovery tool focused on DNS, ASN, and subdomain intelligence.", "status": "live", "pricing": "free", - "bestFor": "Hash validation against 30+ AV engines with detection percentages", - "input": "MD5 or SHA-1 hash", - "output": "Detection percentage, last seen timestamp, signature matches from AV databases", - "opsec": "passive", - "opsecNote": "No registration required; read-only hash lookups leave minimal traces", - "localInstall": false, + "bestFor": "Subdomain enumeration and infrastructure mapping", + "input": "Target domain or organization", + "output": "Subdomains, DNS records, and related network entities", + "opsec": "active", + "opsecNote": "Mixed passive/active modes; active techniques can be observed by targets.", + "localInstall": true, "googleDork": false, "registration": false, - "editUrl": true, + "editUrl": false, "api": true, "invitationOnly": false, "deprecated": false }, { - "name": "VX Vault", + "name": "RustScan (T)", "type": "url", - "url": "https://vxvault.net/ViriList.php", - "description": "Active collection of malware samples and related data shared among security researchers and malware analysts for threat intelligence.", + "url": "https://github.com/RustScan/RustScan", + "description": "Open-source port scanner written in Rust designed for fast port discovery and Nmap integration.", "status": "live", "pricing": "free", - "bestFor": "Access to active malware sample collections", - "input": "Web interface browsing, malware sample queries", - "output": "Malware sample information, related indicators", + "bestFor": "Fast host port discovery with follow-up service fingerprinting", + "input": "Target IPs or hostnames", + "output": "Discovered open ports and optional Nmap follow-up results", + "opsec": "active", + "opsecNote": "Active probes are visible to monitored hosts and IDS systems.", + "localInstall": true, + "googleDork": false, + "registration": false, + "editUrl": false, + "api": false, + "invitationOnly": false, + "deprecated": false + } + ] + }, + { + "name": "Free Image & Reverse Search", + "type": "folder", + "children": [ + { + "name": "Google Reverse Image Search", + "type": "url", + "url": "https://lens.google.com/", + "description": "Free reverse image search showing identical and similar images across the web", + "status": "live", + "pricing": "free", + "bestFor": "Finding image origins, duplicates, and related content", + "input": "Image file or URL", + "output": "Matching images, source pages, and related content", "opsec": "passive", - "opsecNote": "Web-based browsing interface; no registration typically required", + "opsecNote": "Queries are processed through Google; image is uploaded to their servers", "localInstall": false, "googleDork": false, "registration": false, @@ -18983,17 +19113,17 @@ "deprecated": false }, { - "name": "ID Ransomware", + "name": "Yandex Images Search", "type": "url", - "url": "https://id-ransomware.malwarehunterteam.com/", - "description": "Free ransomware identification tool that analyzes ransom notes and encrypted file samples to identify variants and provide decryption guidance. Detects 1181+ ransomware types.", + "url": "https://yandex.com/images/", + "description": "Yandex reverse image search tool for finding image origins and similar pictures globally", "status": "live", "pricing": "free", - "bestFor": "Ransomware identification and victim support", - "input": "Ransom note file, encrypted file sample, ransom email address", - "output": "Ransomware variant identification, decryption status, victim resources", + "bestFor": "Reverse image search, image sourcing, visual search", + "input": "Image file or URL", + "output": "Matching images and source pages", "opsec": "passive", - "opsecNote": "File uploads provide victim privacy options to protect personal data exposure", + "opsecNote": "Processed by Yandex servers; alternative to Google for technical overlap validation", "localInstall": false, "googleDork": false, "registration": false, @@ -19003,21 +19133,21 @@ "deprecated": false }, { - "name": "National Software Reference Library", + "name": "TinEye Reverse Image Search", "type": "url", - "url": "https://nsrl.hashsets.com/national_software_reference_library1_search.php", - "description": "NIST-maintained repository of cryptographic hash values for known, legitimate software to identify known-good files during digital forensics investigations.", + "url": "https://tineye.com/", + "description": "Free reverse image search specialized in finding editorial images and tracking image history across the web", "status": "live", - "pricing": "free", - "bestFor": "Eliminating known-good files in forensic investigations and digital triage", - "input": "File hash (MD5, SHA-1, SHA-256), software query", - "output": "Hash matches to known software, file metadata, product versioning", + "pricing": "freemium", + "bestFor": "Image origin tracking and historical image discovery", + "input": "Image file or URL", + "output": "Image matches, publication history, and usage context", "opsec": "passive", - "opsecNote": "No registration required; lookup-only service; government maintained", + "opsecNote": "Free tier limited; tracks image modifications and publishing timeline", "localInstall": false, "googleDork": false, "registration": false, - "editUrl": true, + "editUrl": false, "api": false, "invitationOnly": false, "deprecated": false @@ -19025,159 +19155,21 @@ ] }, { - "name": "Hosted Automated Analysis", + "name": "Free Website & Code Analysis", "type": "folder", "children": [ { - "name": "Office Files", - "type": "folder", - "children": [ - { - "name": "TYLabs QuickSand Framework", - "type": "url", - "url": "https://scan.tylabs.com/", - "description": "Python-based malware analysis framework for analyzing Office documents and PDFs to identify exploits in decoded streams using YARA signatures.", - "status": "live", - "pricing": "freemium", - "bestFor": "Document and PDF malware analysis with exploit detection", - "input": "Office documents (.doc, .xls, .ppt), PDFs, emails, Postscript", - "output": "YARA signature matches, exploit detection, risk scoring, threat analysis", - "opsec": "active", - "opsecNote": "Hosted analysis requires file upload; local installation available for offline use", - "localInstall": true, - "googleDork": false, - "registration": false, - "editUrl": false, - "api": false, - "invitationOnly": false, - "deprecated": false - }, - { - "name": "JoeSandbox Document Analyzer", - "type": "url", - "url": "https://www.joesandbox.com/", - "description": "Hosted automated malware analysis service that performs dynamic and static analysis of files including Office documents, PDFs, and executables with comprehensive behavioral reporting.", - "status": "live", - "pricing": "freemium", - "bestFor": "Comprehensive malware analysis with behavioral insights and threat scoring", - "input": "Executable files, documents, PDFs, URLs, APKs (Max 30MB free tier)", - "output": "Behavioral analysis, network IOCs, detection verdicts, MITRE ATT&CK mappings, export formats (JSON, XML, HTML, PDF)", - "opsec": "active", - "opsecNote": "File uploads are processed on external sandbox; free tier limited to 30 submissions/month", - "localInstall": false, - "googleDork": false, - "registration": false, - "editUrl": false, - "api": true, - "invitationOnly": false, - "deprecated": false - } - ] - }, - { - "name": "PDFs", - "type": "folder", - "children": [ - { - "name": "TYLabs QuickSand Framework", - "type": "url", - "url": "https://scan.tylabs.com/", - "description": "Python-based malware analysis framework for analyzing Office documents and PDFs to identify exploits in decoded streams using YARA signatures.", - "status": "live", - "pricing": "freemium", - "bestFor": "Document and PDF malware analysis with exploit detection", - "input": "Office documents (.doc, .xls, .ppt), PDFs, emails, Postscript", - "output": "YARA signature matches, exploit detection, risk scoring, threat analysis", - "opsec": "active", - "opsecNote": "Hosted analysis requires file upload; local installation available for offline use", - "localInstall": true, - "googleDork": false, - "registration": false, - "editUrl": false, - "api": false, - "invitationOnly": false, - "deprecated": false - } - ] - }, - { - "name": "Android", - "type": "folder", - "children": [ - { - "name": "Akana Android Malware", - "type": "url", - "url": "https://akana.mobiseclab.org/", - "description": "Online Android Interactive Analysis Environment with plugins for analyzing malicious Android applications and APKs for suspicious behavior and malware characteristics.", - "status": "live", - "pricing": "free", - "bestFor": "Android app malware analysis and interactive examination", - "input": "Android APK files", - "output": "Malware detection results, behavioral analysis, plugin-based threat assessment", - "opsec": "active", - "opsecNote": "File uploads required; external analysis service", - "localInstall": false, - "googleDork": false, - "registration": false, - "editUrl": false, - "api": false, - "invitationOnly": false, - "deprecated": false - }, - { - "name": "Joe APK Analyzer", - "type": "url", - "url": "https://www.apk-analyzer.net/", - "description": "Part of Joe Sandbox suite; performs dynamic and static analysis of Android Application Packages to detect malicious behavior and generate detailed analysis reports.", - "status": "live", - "pricing": "freemium", - "bestFor": "Android malware analysis with dynamic behavior monitoring", - "input": "Android APK files", - "output": "Malware detection, behavioral analysis, threat intelligence IOCs", - "opsec": "active", - "opsecNote": "File uploads to external sandbox; free tier has limitations", - "localInstall": false, - "googleDork": false, - "registration": false, - "editUrl": false, - "api": true, - "invitationOnly": false, - "deprecated": false - } - ] - }, - { - "name": "VirusTotal", + "name": "BuiltWith (T)", "type": "url", - "url": "https://www.virustotal.com/gui/", - "description": "Multi-engine file and URL scanner that aggregates results from 70+ antivirus engines and threat feeds.", + "url": "https://builtwith.com/", + "description": "Free technology profiler identifying web applications, CMS platforms, analytics, hosting, and development frameworks", "status": "live", "pricing": "freemium", - "bestFor": "Malware analysis, URL reputation, file hash lookups", - "input": "File, file hash, URL, domain, IP address", - "output": "Detection results, behavioral analysis, community comments, related indicators", + "bestFor": "Web technology stack identification and infrastructure reconnaissance", + "input": "Website URL or domain", + "output": "CMS, hosting provider, web server, JavaScript libraries, analytics tools", "opsec": "passive", - "opsecNote": "Uploaded files become visible to other VirusTotal users. Hash lookups are private.", - "localInstall": false, - "googleDork": false, - "registration": true, - "editUrl": false, - "api": true, - "invitationOnly": false, - "deprecated": false - }, - { - "name": "OPSWAT Meta Defender", - "type": "url", - "url": "https://metadefender.opswat.com/#!/", - "description": "Multi-engine malware scanning service using 20+ antivirus engines with advanced threat analysis, content disarm & reconstruction, and emulation-based detection for zero-day threats.", - "status": "live", - "pricing": "freemium", - "bestFor": "Multi-engine malware detection with advanced threat analysis", - "input": "Files (all types), URLs", - "output": "Multi-engine scan results, threat verdicts, IOC extraction, file behavior analysis", - "opsec": "active", - "opsecNote": "File uploads required; free community version available with API limits", + "opsecNote": "Passive technology detection from public data and site analysis", "localInstall": false, "googleDork": false, "registration": false, @@ -19187,78 +19179,78 @@ "deprecated": false }, { - "name": "Hybrid Analysis", + "name": "Wappalyzer (T)", "type": "url", - "url": "https://hybrid-analysis.com/", - "description": "Free automated malware analysis service powered by CrowdStrike Falcon Sandbox. Combines runtime data with memory dump analysis to extract execution pathways and IOCs for evasive malware.", + "url": "https://www.wappalyzer.com/", + "description": "Free browser extension and website analyzer detecting 2000+ web technologies, headers, frameworks, and analytics", "status": "live", - "pricing": "freemium", - "bestFor": "Advanced malware behavior analysis and evasion detection", - "input": "Files (30MB max free tier), URLs, APKs (up to 30 per month free)", - "output": "Hybrid behavioral analysis, memory dumps, disassembly, IOC extraction, behavioral indicators", - "opsec": "active", - "opsecNote": "Free tier limited to 30 uploads/month; file uploads to external sandbox infrastructure", - "localInstall": false, + "pricing": "free", + "bestFor": "One-click technology identification while browsing or analyzing URLs", + "input": "Website URL or active browsing", + "output": "Technology stack, versions, categories, and security headers", + "opsec": "passive", + "opsecNote": "Client-side detection from browser; no contact with targets", + "localInstall": true, "googleDork": false, - "registration": false, + "registration": true, "editUrl": false, "api": true, "invitationOnly": false, "deprecated": false }, { - "name": "Malware Config", + "name": "WhatRuns (T)", "type": "url", - "url": "https://malwareconfig.com/", - "description": "Database for searching and analyzing extracted malware configurations by hash, domain, or IP address to track C2 infrastructure and malware attributes.", + "url": "https://www.whatruns.com/", + "description": "Free browser extension revealing website technology, e-commerce apps, analytics, and ad providers", "status": "live", "pricing": "free", - "bestFor": "Malware configuration extraction and C2 server tracking", - "input": "SHA256 hash, domain, IP address, malware family", - "output": "Extracted malware configurations, C2 infrastructure, encrypted keys, command data", + "bestFor": "Quick identification of adjacent web technologies and business tools", + "input": "Browse any website", + "output": "Third-party apps, ad networks, tracking services, CMS, frameworks", "opsec": "passive", - "opsecNote": "Search-only interface; no file uploads required; passive lookups", - "localInstall": false, + "opsecNote": "Local browser extension; passive observation", + "localInstall": true, "googleDork": false, "registration": false, - "editUrl": true, + "editUrl": false, "api": false, "invitationOnly": false, "deprecated": false }, { - "name": "MetaDefender", + "name": "WhatWeb (T)", "type": "url", - "url": "https://metadefender.opswat.com/", - "description": "OPSWAT's cloud-based multi-engine malware scanning platform with advanced threat detection using 30+ antivirus engines, CDR technology, and behavioral analysis.", + "url": "https://github.com/urbanadventurer/WhatWeb", + "description": "Open-source website fingerprinting tool that identifies technologies, frameworks, and server components.", "status": "live", - "pricing": "freemium", - "bestFor": "Enterprise-grade multi-engine malware detection and advanced threat analysis", - "input": "Files, URLs, streams", - "output": "Multi-engine detection results, threat verdicts, behavioral analysis, IOC extraction", + "pricing": "free", + "bestFor": "Command-line website technology fingerprinting", + "input": "Target URL or domain", + "output": "Detected web technologies, plugins, and headers", "opsec": "active", - "opsecNote": "File uploads required; commercial and free tiers available", - "localInstall": false, + "opsecNote": "Direct requests to target websites may be logged by web servers.", + "localInstall": true, "googleDork": false, "registration": false, "editUrl": false, - "api": true, + "api": false, "invitationOnly": false, "deprecated": false }, { - "name": "Ether", + "name": "Wafw00f (T)", "type": "url", - "url": "https://ether.gtisc.gatech.edu/web_unpack/", - "description": "Georgia Tech malware analysis framework using Intel VT hardware virtualization for transparent, stealthy malware analysis resistant to anti-analysis techniques.", + "url": "https://github.com/EnableSecurity/wafw00f", + "description": "Open-source tool for identifying whether a site is protected by a WAF and guessing vendor type.", "status": "live", "pricing": "free", - "bestFor": "Transparent malware analysis resistant to anti-analysis evasion", - "input": "Executable files, malware samples", - "output": "Fine-grained execution traces, instruction-level analysis, unpacking results, behavior extraction", + "bestFor": "Web application firewall detection", + "input": "Target URL", + "output": "WAF presence and likely vendor fingerprint", "opsec": "active", - "opsecNote": "Hosted analysis service; academic research project from Georgia Institute of Technology", - "localInstall": false, + "opsecNote": "Sends fingerprinting requests that are visible in target logs.", + "localInstall": true, "googleDork": false, "registration": false, "editUrl": false, @@ -19267,57 +19259,63 @@ "deprecated": false }, { - "name": "Jotti's Malware Scanner", + "name": "Nikto (T)", "type": "url", - "url": "https://virusscan.jotti.org/en-US/scan-file", - "description": "Free multi-scanner malware analysis service that submits files for analysis against 14+ antivirus engines. No installation or account setup required.", + "url": "https://github.com/sullo/nikto", + "description": "Open-source web server scanner for identifying dangerous files, outdated software, and misconfigurations.", "status": "live", "pricing": "free", - "bestFor": "Quick multi-engine scan without installation or account setup", - "input": "Files (up to 5 concurrent, 250MB per file)", - "output": "Detection results from 14+ AV engines, file metadata, scan reports", + "bestFor": "Baseline web server security checks", + "input": "Target URL or host", + "output": "Potential vulnerabilities, risky files, and server findings", "opsec": "active", - "opsecNote": "No account required; file uploads to external scanning service", - "localInstall": false, + "opsecNote": "Active scanning behavior is noisy and can trigger security monitoring.", + "localInstall": true, "googleDork": false, "registration": false, "editUrl": false, - "api": true, + "api": false, "invitationOnly": false, "deprecated": false - }, + } + ] + }, + { + "name": "Free Web & Data Tools", + "type": "folder", + "children": [ { - "name": "Valkyrie File Analysis", + "name": "Beautiful Soup (T)", "type": "url", - "url": "https://consumer.valkyrie.comodo.com/", - "description": "Cloud-based verdict-driven malware analysis platform from Comodo using static analysis (450+ unpackers), dynamic analysis, and optional human expert analysis for unknown files.", + "url": "https://www.crummy.com/software/BeautifulSoup/", + "description": "Free Python library for web scraping and parsing HTML/XML with simple and intuitive API", "status": "live", - "pricing": "freemium", - "bestFor": "Advanced malware analysis with human expert review option", - "input": "Files (all types), URLs", - "output": "File verdict, behavioral analysis results, IOC extraction, confidence scores, expert analysis", - "opsec": "active", - "opsecNote": "File uploads required; expert analysis available for premium users", - "localInstall": false, + "pricing": "free", + "bestFor": "Web scraping and data extraction from HTML pages", + "input": "HTML content or web pages", + "output": "Parsed and structured data extracted from web pages", + "opsec": "passive", + "opsecNote": "Local parsing library; no external communication", + "localInstall": true, "googleDork": false, "registration": false, "editUrl": false, - "api": true, + "api": false, "invitationOnly": false, "deprecated": false }, { - "name": "detux Linux Sandbox", + "name": "Scrapy (T)", "type": "url", - "url": "https://detux.org/", - "description": "Open-source multiplatform Linux sandbox for analyzing Linux malware across multiple CPU architectures (x86, x86-64, ARM, MIPS) using QEMU emulation and traffic analysis.", + "url": "https://scrapy.org/", + "description": "Free open-source Python framework for web scraping and web crawling at scale with built-in performance optimization", "status": "live", "pricing": "free", - "bestFor": "Linux malware analysis across multiple architectures", - "input": "Linux executable files, malware samples", - "output": "Static analysis strings, dynamic traffic capture, IOC extraction, architecture-specific analysis", + "bestFor": "Large-scale web scraping and automated data collection", + "input": "Target URLs and scraping rules", + "output": "Structured data and databases from multiple pages", "opsec": "active", - "opsecNote": "Open-source tool; can be deployed locally or used as hosted service", + "opsecNote": "Automated web requests; follow robots.txt and respect site policies", "localInstall": true, "googleDork": false, "registration": false, @@ -19327,18 +19325,18 @@ "deprecated": false }, { - "name": "Joe File Analyzer", + "name": "OpenStreetMap (T)", "type": "url", - "url": "https://www.file-analyzer.net/", - "description": "Part of Joe Sandbox suite; performs hybrid code analysis of PE files on Windows with detailed behavioral and system interaction reporting.", + "url": "https://www.openstreetmap.org/", + "description": "Free collaborative mapping platform with community-contributed geographic data, alternative to Google Maps", "status": "live", - "pricing": "freemium", - "bestFor": "PE file malware analysis with system interaction tracking", - "input": "PE executable files (.exe, .dll, etc.)", - "output": "Hybrid behavioral analysis, system calls, network IOCs, threat scores", - "opsec": "active", - "opsecNote": "File uploads to Joe Sandbox infrastructure; free tier has submission limits", - "localInstall": false, + "pricing": "free", + "bestFor": "Mapping, location verification, geographic data without vendor lock-in", + "input": "Location queries, coordinates, or map area", + "output": "Maps, directions, POIs, geographic data", + "opsec": "passive", + "opsecNote": "Public mapping data; no external profiling", + "localInstall": true, "googleDork": false, "registration": false, "editUrl": false, @@ -19347,38 +19345,38 @@ "deprecated": false }, { - "name": "Pikker.ee Cuckoo Sandbox", + "name": "Leaflet (T)", "type": "url", - "url": "https://sandbox.pikker.ee/", - "description": "Public instance of Cuckoo Sandbox malware analysis system hosted in Estonia. Provides automated dynamic analysis with detailed result reporting for submitted files.", + "url": "https://leafletjs.com/", + "description": "Free JavaScript library for interactive maps with OpenStreetMap integration and plugin ecosystem", "status": "live", "pricing": "free", - "bestFor": "Free automated dynamic malware analysis with detailed behavioral reports", - "input": "Executable files, documents, archives", - "output": "Process monitoring, API calls, file system changes, network traffic, behavioral analysis", - "opsec": "active", - "opsecNote": "Public instance; files uploaded to external infrastructure; Estonian-hosted", - "localInstall": false, + "bestFor": "Building custom mapping applications and geospatial visualizations", + "input": "Map configuration and data sources", + "output": "Interactive web-based maps with custom features", + "opsec": "passive", + "opsecNote": "Client-side mapping library built on open data", + "localInstall": true, "googleDork": false, "registration": false, "editUrl": false, - "api": false, + "api": true, "invitationOnly": false, "deprecated": false }, { - "name": "Koodous", + "name": "Playwright (T)", "type": "url", - "url": "https://koodous.com", - "description": "Collaborative platform for Android malware research and analysis with community-driven database of 70+ million Android applications with crowd-sourced malware detection.", + "url": "https://github.com/microsoft/playwright", + "description": "Open-source browser automation framework for reliable scripted web interaction and extraction.", "status": "live", - "pricing": "freemium", - "bestFor": "Android malware analysis with community collaboration and threat intelligence", - "input": "Android APK files, package names, hashes", - "output": "Malware detection results, community analysis, threat indicators, sample sharing", + "pricing": "free", + "bestFor": "Automated page interaction and data extraction workflows", + "input": "Automation scripts and target URLs", + "output": "Rendered page data, screenshots, and structured extraction artifacts", "opsec": "active", - "opsecNote": "Registration available; community platform with shared threat intelligence", - "localInstall": false, + "opsecNote": "Automated browsing leaves detectable traffic and browser fingerprints.", + "localInstall": true, "googleDork": false, "registration": false, "editUrl": false, @@ -19387,18 +19385,18 @@ "deprecated": false }, { - "name": "Any Run", + "name": "Selenium (T)", "type": "url", - "url": "https://app.any.run/", - "description": "Interactive malware analysis sandbox allowing real-time manual interaction with Windows, macOS, Linux, and Android environments. Fast report generation with MITRE ATT&CK mapping.", + "url": "https://github.com/SeleniumHQ/selenium", + "description": "Open-source browser automation suite for scripting data collection and reproducible web interactions.", "status": "live", - "pricing": "freemium", - "bestFor": "Interactive malware analysis with real-time system interaction", - "input": "Files, URLs, APKs, documents (platform-specific)", - "output": "Process graphs, behavioral analysis, MITRE ATT&CK TTPs, IOCs, customizable reports", + "pricing": "free", + "bestFor": "Browser automation for repeatable collection tasks", + "input": "Automation scripts and browser drivers", + "output": "Automated interactions, captured content, and test/extraction logs", "opsec": "active", - "opsecNote": "Interactive analysis leaves traces; free tier limited to 3 public analyses/day; private mode in paid plans", - "localInstall": false, + "opsecNote": "Automated traffic can be rate-limited or flagged by anti-bot systems.", + "localInstall": true, "googleDork": false, "registration": false, "editUrl": false, @@ -19407,44 +19405,64 @@ "deprecated": false }, { - "name": "Uncover It", + "name": "pandas (T)", "type": "url", - "url": "https://www.uncoverit.org/", - "description": "Static malware configuration extractor that quickly analyzes files without execution to extract malware configurations, C2 infrastructure, and IOCs in under 5 seconds.", + "url": "https://github.com/pandas-dev/pandas", + "description": "Open-source Python data analysis library for cleaning, transforming, and correlating collected datasets.", "status": "live", "pricing": "free", - "bestFor": "Fast static malware configuration extraction", - "input": "Malware samples, executable files", - "output": "Extracted configurations, C2 servers, encryption keys, behavioral indicators", + "bestFor": "Post-collection data cleaning and analysis", + "input": "CSV, JSON, tabular data, and dataframe operations", + "output": "Cleaned datasets, analysis tables, and exportable reports", "opsec": "passive", - "opsecNote": "Static analysis only; no code execution; quick analysis without external dependencies", - "localInstall": false, + "opsecNote": "Local data processing library with no inherent external traffic.", + "localInstall": true, "googleDork": false, "registration": false, "editUrl": false, - "api": false, + "api": true, "invitationOnly": false, "deprecated": false } ] }, { - "name": "Office Files", + "name": "Free Document & Data Analysis", "type": "folder", "children": [ { - "name": "Office Mal Scanner (T)", + "name": "Apache Tika (T)", "type": "url", - "url": "https://www.reconstructer.org/", - "description": "Malicious Office document analysis tool for analyzing and reconstructing Office documents to identify exploits and malicious content.", + "url": "https://tika.apache.org/", + "description": "Free content analysis toolkit extracting text and metadata from various documents (PDFs, Word, Excel, Images, etc.)", "status": "live", "pricing": "free", - "bestFor": "Malicious Office document analysis and reconstruction", - "input": "Microsoft Office documents (.doc, .xls, .ppt)", - "output": "Document structure analysis, malicious content extraction, exploit identification", - "opsec": "active", - "opsecNote": "Document upload required; analysis service online", - "localInstall": false, + "bestFor": "Document parsing and metadata extraction at scale", + "input": "Document files of any format", + "output": "Extracted text, metadata, document structure", + "opsec": "passive", + "opsecNote": "Local document processing; no external communication", + "localInstall": true, + "googleDork": false, + "registration": false, + "editUrl": false, + "api": true, + "invitationOnly": false, + "deprecated": false + }, + { + "name": "LibreOffice (T)", + "type": "url", + "url": "https://www.libreoffice.org/", + "description": "Free open-source office suite supporting document conversion, metadata display, and document analysis", + "status": "live", + "pricing": "free", + "bestFor": "Opening and analyzing documents while preserving metadata", + "input": "Office documents (Word, Excel, Sheets, PDF)", + "output": "Document content, formatting, embedded data", + "opsec": "passive", + "opsecNote": "Local desktop application; no internet connectivity required", + "localInstall": true, "googleDork": false, "registration": false, "editUrl": false, @@ -19453,17 +19471,17 @@ "deprecated": false }, { - "name": "OffVis (T)", + "name": "Strings (T)", "type": "url", - "url": "https://download.microsoft.com/download/1/2/7/127ba59a-4fe1-4acd-ba47-513ceef85a85/OffVis.zip", - "description": "Microsoft Office Visualization Tool for analyzing Office binary files to identify exploits and malicious structures. Displays hex and object tree views.", + "url": "https://en.wikipedia.org/wiki/Strings_(Unix)", + "description": "Unix command-line utility extracting printable strings from any binary file type", "status": "live", "pricing": "free", - "bestFor": "Office binary file format analysis and exploit detection", - "input": "Office binary files (.doc, .xls, .ppt, .pps, .pot)", - "output": "File structure visualization, hex dump, object trees, vulnerability detection", + "bestFor": "Quick text extraction from binaries without decompilation", + "input": "Binary file", + "output": "ASCII and Unicode strings found in file", "opsec": "passive", - "opsecNote": "Local desktop application; no file uploads; Microsoft-provided tool", + "opsecNote": "Local utility; no external communication", "localInstall": true, "googleDork": false, "registration": false, @@ -19471,45 +19489,39 @@ "api": false, "invitationOnly": false, "deprecated": false - } - ] - }, - { - "name": "PDFs", - "type": "folder", - "children": [ + }, { - "name": "PDF Tools (T)", + "name": "pdfplumber (T)", "type": "url", - "url": "https://blog.didierstevens.com/programs/pdf-tools/", - "description": "Free suite of PDF analysis tools by Didier Stevens including pdfid (keyword scanning) and pdf-parser.py for analyzing malicious PDF documents and extracting embedded objects.", + "url": "https://github.com/jsvine/pdfplumber", + "description": "Open-source Python library for extracting text, tables, and metadata details from PDF files.", "status": "live", "pricing": "free", - "bestFor": "PDF structure analysis and malicious object extraction", + "bestFor": "Structured PDF text and table extraction", "input": "PDF files", - "output": "PDF keyword identification, object parsing, embedded JavaScript detection, IOC extraction", + "output": "Extracted text, table structures, and layout-derived artifacts", "opsec": "passive", - "opsecNote": "Command-line tools; local execution; open-source from reputable security researcher", + "opsecNote": "Local file parsing does not require external submissions.", "localInstall": true, "googleDork": false, "registration": false, "editUrl": false, - "api": false, + "api": true, "invitationOnly": false, "deprecated": false }, { - "name": "Origami Framework (T)", + "name": "OCRmyPDF (T)", "type": "url", - "url": "https://code.google.com/archive/p/origami-pdf/", - "description": "Ruby framework for parsing, analyzing, and forging PDF documents. Includes PDF Walker GUI and PDFcop heuristic checker for detecting dangerous PDF content.", + "url": "https://github.com/ocrmypdf/OCRmyPDF", + "description": "Open-source OCR pipeline that adds searchable text layers to scanned PDFs using Tesseract.", "status": "live", "pricing": "free", - "bestFor": "PDF parsing and manipulation for malicious PDF analysis", - "input": "PDF files, PDF objects, malicious content", - "output": "Parsed PDF structure, extracted objects, deobfuscated content, modified PDFs", + "bestFor": "Converting scanned PDFs into searchable investigation-ready documents", + "input": "Scanned PDF files", + "output": "OCR-enhanced searchable PDFs", "opsec": "passive", - "opsecNote": "Open-source framework; local installation required; no file uploads", + "opsecNote": "All OCR processing can run locally in offline environments.", "localInstall": true, "googleDork": false, "registration": false, @@ -19521,508 +19533,680 @@ ] }, { - "name": "PCAPs", + "name": "Free Developer & Utility Tools", "type": "folder", "children": [ { - "name": "Malware-Traffic-Analysis.net", + "name": "VS Code (T)", "type": "url", - "url": "https://www.malware-traffic-analysis.net/index.html", - "description": "Training resource and PCAP repository providing network traffic captures from malware infections since 2013. Includes tutorials and exercises for malware traffic analysis.", + "url": "https://code.visualstudio.com/", + "description": "Free lightweight code editor with extensive plugin ecosystem for scripting, data analysis, and OSINT automation", "status": "live", "pricing": "free", - "bestFor": "Malware network behavior analysis and training exercises", - "input": "PCAP files, network traffic captures", - "output": "Network indicators (IPs, domains, C2 servers), behavioral analysis, post-exploitation patterns", + "bestFor": "Writing and debugging Python, JavaScript, and bash scripts", + "input": "Code files and scripts", + "output": "Execution environment and development workflow", "opsec": "passive", - "opsecNote": "PCAP analysis is passive; no live malware execution; educational resource", - "localInstall": false, + "opsecNote": "Local development environment with telemetry settings", + "localInstall": true, "googleDork": false, "registration": false, "editUrl": false, "api": false, "invitationOnly": false, "deprecated": false - } - ] - }, - { - "name": "Ghidra (T)", - "type": "url", - "url": "https://github.com/NationalSecurityAgency/ghidra", - "description": "Free and open-source reverse engineering framework from NSA for analyzing compiled software. Includes disassembly, decompilation, scripting, and interactive graphing for malware analysis.", - "status": "live", - "pricing": "free", - "bestFor": "Reverse engineering and static malware analysis", - "input": "Executable files (ELF, PE, Mach-O, raw binaries), multiple architectures", - "output": "Disassembly, decompiled code, control flow graphs, function analysis, custom scripts", - "opsec": "passive", - "opsecNote": "Local desktop application; no file uploads; open-source from NSA", - "localInstall": true, - "googleDork": false, - "registration": false, - "editUrl": false, - "api": true, - "invitationOnly": false, - "deprecated": false - }, - { - "name": "Malware Analysis Tools", - "type": "url", - "url": "https://malwareanalysis.tools/", - "description": "Curated resource and reference guide for malware analysis tools with recommendations for virtualization, safety practices, and tool selection for analysis scenarios.", - "status": "live", - "pricing": "free", - "bestFor": "Malware analysis tool discovery and best practices reference", - "input": "Tool research, methodology guidance", - "output": "Tool recommendations, analysis methodologies, safety practices, learning resources", - "opsec": "passive", - "opsecNote": "Reference resource only; no file uploads or active analysis", - "localInstall": false, - "googleDork": false, - "registration": false, - "editUrl": false, - "api": false, - "invitationOnly": false, - "deprecated": false - }, - { - "name": "virustotal", - "type": "url", - "url": "https://www.virustotal.com/gui/home/upload", - "description": "Free online service that analyzes files and URLs for viruses, trojans and malicious content detected by 70+ antivirus engines and URL/domain reputation services.", - "status": "live", - "pricing": "freemium", - "bestFor": "Multi-engine malware scanning and URL reputation lookup", - "input": "Files, URLs, domains, IP addresses, file hashes", - "output": "Detection results from 70+ AV engines, behavioral analysis, file insights, related samples", - "opsec": "passive", - "opsecNote": "File uploads are indexed and visible to other users; hash-only queries are private", - "localInstall": false, - "googleDork": false, - "registration": true, - "editUrl": false, - "api": true, - "invitationOnly": false, - "deprecated": false - } - ] - }, - { - "name": "Exploits & Advisories", - "type": "folder", - "children": [ - { - "name": "Default Passwords", - "type": "folder", - "children": [ + }, { - "name": "Default Passwords DB", + "name": "Git & GitHub (T)", "type": "url", - "url": "https://cirt.net/passwords/" + "url": "https://github.com/", + "description": "Free version control and repository hosting platform for open-source OSINT tools and code collaboration", + "status": "live", + "pricing": "free", + "bestFor": "Learning from open-source OSINT tools and contributing to projects", + "input": "Repository URL or searches", + "output": "Code repositories, code search, usage examples", + "opsec": "passive", + "opsecNote": "Public platform; all activity is visible", + "localInstall": true, + "googleDork": false, + "registration": true, + "editUrl": false, + "api": true, + "invitationOnly": false, + "deprecated": false }, { - "name": "Default passwords list", + "name": "Postman (T)", "type": "url", - "url": "https://default-password.info/" + "url": "https://www.postman.com/", + "description": "Free API development and testing tool for building API requests, automating testing, and analyzing responses", + "status": "live", + "pricing": "freemium", + "bestFor": "Testing APIs and creating automation workflows", + "input": "API endpoints and authentication credentials", + "output": "API responses, request history, automated test results", + "opsec": "active", + "opsecNote": "Requests are sent from your machine to targets; account usage tracked", + "localInstall": true, + "googleDork": false, + "registration": true, + "editUrl": false, + "api": true, + "invitationOnly": false, + "deprecated": false }, { - "name": "Default Password Lookup Utility", + "name": "CyberChef - Recipe Library (T)", "type": "url", - "url": "https://fortypoundhead.com/tools_dpw.asp" + "url": "https://gchq.github.io/CyberChef/", + "description": "Web-based data transformation and encoding workbench with 300+ operations for manipulation and analysis", + "status": "live", + "pricing": "free", + "bestFor": "Data encoding/decoding, hashing, and complex transformations", + "input": "Text, hex, base64, or binary data", + "output": "Transformed data with chainable operations", + "opsec": "passive", + "opsecNote": "Online tool; consider sensitivity of data being processed", + "localInstall": true, + "googleDork": false, + "registration": false, + "editUrl": false, + "api": true, + "invitationOnly": false, + "deprecated": false }, { - "name": "Phenoelit Default Password List", + "name": "Graphviz (T)", "type": "url", - "url": "https://phenoelit.org/dpl/dpl.html" + "url": "https://graphviz.org/", + "description": "Free graph visualization software for creating network diagrams, relationship maps, and data structure visualizations", + "status": "live", + "pricing": "free", + "bestFor": "Creating visual relationship maps and complex diagrams", + "input": "DOT language graph descriptions", + "output": "PNG, SVG, PDF diagrams and visualizations", + "opsec": "passive", + "opsecNote": "Local visualization tool; no external communication", + "localInstall": true, + "googleDork": false, + "registration": false, + "editUrl": false, + "api": false, + "invitationOnly": false, + "deprecated": false }, { - "name": "Default Router Passwords", + "name": "curl (T)", "type": "url", - "url": "https://www.routerpasswords.com/" + "url": "https://curl.se/", + "description": "Free command-line utility for transferring data with URLs, supports HTTP, HTTPS, FTP, and numerous protocols", + "status": "live", + "pricing": "free", + "bestFor": "Making HTTP requests, API calls, and downloading resources from command line", + "input": "URL and request parameters", + "output": "Response content and headers", + "opsec": "active", + "opsecNote": "Requests are visible to target and network observers", + "localInstall": true, + "googleDork": false, + "registration": false, + "editUrl": false, + "api": false, + "invitationOnly": false, + "deprecated": false }, { - "name": "Open Sez Me Default Passwords", + "name": "jq (T)", "type": "url", - "url": "https://open-sez.me/" + "url": "https://github.com/jqlang/jq", + "description": "Open-source command-line JSON processor for filtering, transforming, and validating structured data.", + "status": "live", + "pricing": "free", + "bestFor": "JSON parsing and transformation in shell workflows", + "input": "JSON files or API responses", + "output": "Filtered JSON, transformed records, and validation checks", + "opsec": "passive", + "opsecNote": "Local command-line processing with no inherent network traffic.", + "localInstall": true, + "googleDork": false, + "registration": false, + "editUrl": false, + "api": false, + "invitationOnly": false, + "deprecated": false }, { - "name": "Hashes.org", + "name": "GNU Parallel (T)", "type": "url", - "url": "https://hashes.org/" + "url": "https://www.gnu.org/software/parallel/", + "description": "Free command-line utility for parallelizing shell tasks across cores and hosts.", + "status": "live", + "pricing": "free", + "bestFor": "Speeding up repetitive command-line processing workflows", + "input": "Command templates and input lists", + "output": "Parallel task execution outputs and logs", + "opsec": "passive", + "opsecNote": "Parallel execution amplifies traffic if used with network commands.", + "localInstall": true, + "googleDork": false, + "registration": false, + "editUrl": false, + "api": false, + "invitationOnly": false, + "deprecated": false + }, + { + "name": "tmux (T)", + "type": "url", + "url": "https://github.com/tmux/tmux", + "description": "Open-source terminal multiplexer for managing long-running sessions and split-pane workflows.", + "status": "live", + "pricing": "free", + "bestFor": "Persistent terminal workflows and multitasking investigations", + "input": "Shell sessions and command execution", + "output": "Managed terminals, session persistence, and organized task panes", + "opsec": "passive", + "opsecNote": "Local workflow tool with no direct network behavior.", + "localInstall": true, + "googleDork": false, + "registration": false, + "editUrl": false, + "api": false, + "invitationOnly": false, + "deprecated": false } ] }, { - "name": "Vulert: Updated Open Source Vulnerability Database", - "type": "url", - "url": "https://vulert.com/vuln-db" - }, - { - "name": "MITRE ATT&CK", - "type": "url", - "url": "https://attack.mitre.org/" - }, - { - "name": "Exploit DB", - "type": "url", - "url": "https://www.exploit-db.com/" - }, - { - "name": "Packet Storm", - "type": "url", - "url": "https://packetstormsecurity.com/" - }, - { - "name": "SecurityFocus", - "type": "url", - "url": "https://www.securityfocus.com/bid" - }, - { - "name": "NVD - NIST", - "type": "url", - "url": "https://nvd.nist.gov/" - }, - { - "name": "OSV Vulnerability Library", - "type": "url", - "url": "https://osv.dev/list" - }, - { - "name": "CVE Details", - "type": "url", - "url": "https://www.cvedetails.com/" - }, - { - "name": "CVE - MITRE", - "type": "url", - "url": "https://www.cve.org/" - }, - { - "name": "OWASP", - "type": "url", - "url": "https://www.owasp.org/index.php/Main_Page" - }, - { - "name": "Secunia", - "type": "url", - "url": "https://secuniaresearch.flexerasoftware.com/community/research/" - }, - { - "name": "Australian Cyber Security Centre", - "type": "url", - "url": "https://www.cyber.gov.au/" - }, - { - "name": "Canadian Centre for Cyber Security", - "type": "url", - "url": "https://www.cyber.gc.ca/" - } - ] - }, - { - "name": "Threat Intelligence", - "type": "folder", - "children": [ - { - "name": "Phishing", + "name": "Free Documentation & Reference", "type": "folder", "children": [ { - "name": "SecAI.ai", + "name": "OWASP Foundation (T)", "type": "url", - "url": "https://secai.ai/research", - "description": "Security research platform providing threat intelligence, vulnerability analysis, and cybersecurity insights with focus on emerging threats.", + "url": "https://owasp.org/", + "description": "Free open-source security foundation providing web security testing guidelines, vulnerability frameworks, and tools", "status": "live", "pricing": "free", - "bestFor": "Security research and threat intelligence", - "input": "Threat indicator or research topic", - "output": "Research articles and threat analysis", + "bestFor": "Security best practices, vulnerability testing methodology, and threat modeling", + "input": "Security question or topic search", + "output": "Documentation, testing guides, tool recommendations", "opsec": "passive", - "opsecNote": "Passive threat intelligence platform", + "opsecNote": "Educational reference material", "localInstall": false, "googleDork": false, - "invitationOnly": false, "registration": false, "editUrl": false, "api": false, + "invitationOnly": false, "deprecated": false }, { - "name": "https://openphish.com/feed.txt", + "name": "NIST Cybersecurity Framework (T)", "type": "url", - "url": "https://openphish.com/feed.txt", - "description": "Real-time phishing URL feed providing confirmed malicious phishing sites updated continuously.", + "url": "https://www.nist.gov/cyberframework/", + "description": "Free US government cybersecurity framework and guidelines for identifying and managing security risks", "status": "live", "pricing": "free", - "bestFor": "Phishing URL detection", - "input": "Feed subscription or URL lookup", - "output": "Phishing URLs and malicious domains", + "bestFor": "Security strategy, risk assessment, and framework implementation", + "input": "Organization security goals", + "output": "Framework guidance, assessment tools, best practices", "opsec": "passive", - "opsecNote": "Passive feed consumption of public phishing data", + "opsecNote": "Long-term strategic reference material", "localInstall": false, "googleDork": false, - "api": true, - "invitationOnly": false, "registration": false, "editUrl": false, + "api": false, + "invitationOnly": false, "deprecated": false }, { - "name": "PhishTank", + "name": "StackOverflow (T)", "type": "url", - "url": "https://www.phishtank.com/", - "description": "Community-driven phishing URL database where users submit and verify suspected phishing sites.", + "url": "https://stackoverflow.com/", + "description": "Free community Q&A platform for programming and scripting questions with comprehensive solutions for OSINT automation", "status": "live", "pricing": "free", - "bestFor": "Phishing site verification", - "input": "Phishing URL or suspected malicious site", - "output": "Phishing status and community verification votes", + "bestFor": "Finding code examples and solutions for OSINT scripting challenges", + "input": "Programming questions", + "output": "Code examples and community solutions", "opsec": "passive", - "opsecNote": "Passive lookup of community-reported database", + "opsecNote": "Public platform; all activity visible", "localInstall": false, "googleDork": false, - "editUrl": true, + "registration": true, + "editUrl": false, "api": true, "invitationOnly": false, - "registration": false, "deprecated": false }, { - "name": "PhishStats", + "name": "MITRE ATT&CK (T)", "type": "url", - "url": "https://phishstats.info/", - "description": "Phishing detection and analysis platform providing statistics on campaigns and domain intelligence.", + "url": "https://attack.mitre.org/", + "description": "Free knowledge base of adversary tactics and techniques for threat modeling and investigative mapping.", "status": "live", "pricing": "free", - "bestFor": "Phishing campaign analysis", - "input": "Domain, IP, or keyword", - "output": "Campaign tracking and threat profiles", + "bestFor": "Technique mapping and defensive context during investigations", + "input": "Threat behaviors, indicators, or technique IDs", + "output": "Technique documentation, procedure examples, mitigations, and detections", "opsec": "passive", - "opsecNote": "Passive querying of phishing statistics database", + "opsecNote": "Reference-only content with no target interaction.", "localInstall": false, "googleDork": false, - "api": true, - "invitationOnly": false, "registration": false, "editUrl": false, - "deprecated": false - } - ] - }, - { - "name": "IOC Tools", - "type": "folder", - "children": [ - { - "name": "Jager", - "type": "url", - "url": "https://github.com/sroberts/jager", - "description": "Python IOC aggregation and analysis tool for collecting and organizing security indicators.", - "status": "live", - "pricing": "free", - "bestFor": "IOC collection and aggregation", - "input": "IOC feeds or indicator lists", - "output": "Aggregated IOC database in standardized format", - "opsec": "passive", - "opsecNote": "Local processing of public feeds", - "localInstall": true, - "googleDork": false, "api": true, "invitationOnly": false, - "registration": false, - "editUrl": false, "deprecated": false }, { - "name": "IOC Parser", + "name": "CISA Cybersecurity Advisories", "type": "url", - "url": "https://github.com/armbues/ioc_parser", - "description": "Python library for extracting and parsing IOCs from raw text and security reports.", + "url": "https://www.cisa.gov/news-events/cybersecurity-advisories", + "description": "Free official cybersecurity advisories and alerts published by CISA.", "status": "live", "pricing": "free", - "bestFor": "IOC extraction from reports", - "input": "Raw text or security reports", - "output": "Parsed IOCs in structured format", + "bestFor": "Trusted vulnerability and threat guidance references", + "input": "CVE IDs, advisory topics, and campaign keywords", + "output": "Advisories, mitigation guidance, and operational recommendations", "opsec": "passive", - "opsecNote": "Local text analysis without network interaction", - "localInstall": true, + "opsecNote": "Read-only government reference source.", + "localInstall": false, "googleDork": false, - "invitationOnly": false, "registration": false, "editUrl": false, "api": false, + "invitationOnly": false, "deprecated": false + } + ] + }, + { + "name": "Graph Visualization", + "type": "folder", + "children": [ + { + "name": "MIDINS TITAN", + "type": "url", + "url": "https://github.com/Med0-n/Midins_Titan-Osint_Tool" + } + ] + }, + { + "name": "Pentesting Recon", + "type": "folder", + "children": [ + { + "name": "Low Hanging Fruit (T)", + "type": "url", + "url": "https://github.com/blindfuzzy/LHF" + } + ] + }, + { + "name": "Virtual Machines", + "type": "folder", + "children": [ + { + "name": "VMware Workstation Player (T)", + "type": "url", + "url": "https://www.vmware.com/products/player/playerpro-evaluation.html" }, { - "name": "Cacador", + "name": "VirtualBox (T)", "type": "url", - "url": "https://github.com/sroberts/cacador", - "description": "Python tool for indicator extraction and deduplication from threat intelligence documents.", - "status": "live", - "pricing": "free", - "bestFor": "Indicator extraction and deduplication", - "input": "Documents and threat feeds", - "output": "Extracted and deduplicated IOCs", - "opsec": "passive", - "opsecNote": "Local processing tool for passive analysis", - "localInstall": true, - "googleDork": false, - "invitationOnly": false, - "registration": false, - "editUrl": false, - "api": false, - "deprecated": false + "url": "https://www.virtualbox.org/" }, { - "name": "ThreatPinch Lookup", + "name": "Buscador OS (T)", "type": "url", - "url": "https://github.com/cloudtracer/ThreatPinchLookup", - "description": "Browser extension and Python tool for enriching IOCs with real-time threat intelligence.", - "status": "live", - "pricing": "free", - "bestFor": "Indicator enrichment", - "input": "IOC or domain/IP/hash", - "output": "Enriched threat intelligence from multiple sources", - "opsec": "passive", - "opsecNote": "Passive lookup of public threat intel APIs", - "localInstall": true, - "googleDork": false, - "api": true, - "invitationOnly": false, - "registration": false, - "editUrl": false, - "deprecated": false + "url": "https://inteltechniques.com/buscador/index.html" }, { - "name": "Mimir", + "name": "Kali Linux OS (T)", "type": "url", - "url": "https://github.com/NullArray/Mimir", - "description": "IOC extraction and validation tool from security reports (unmaintained).", - "status": "live", - "pricing": "free", - "bestFor": "IOC extraction and validation", - "input": "Security reports and documents", - "output": "Validated IOCs in structured format", - "opsec": "passive", - "opsecNote": "Local processing tool for passive extraction", - "localInstall": true, - "googleDork": false, - "invitationOnly": false, - "deprecated": true, - "registration": false, - "editUrl": false, - "api": false + "url": "https://www.kali.org/" }, { - "name": "iocextract (T)", + "name": "ParrotSec OS (T)", "type": "url", - "url": "https://github.com/InQuest/iocextract", - "description": "Python library and CLI tool for rapid IOC extraction with support for obfuscated indicators.", - "status": "live", - "pricing": "free", - "bestFor": "IOC extraction with deobfuscation", - "input": "Raw text with obfuscated indicators", - "output": "Extracted IOCs including decoded variants", - "opsec": "passive", - "opsecNote": "Local text parsing without network interaction", - "localInstall": true, - "googleDork": false, - "invitationOnly": false, - "registration": false, - "editUrl": false, - "api": false, - "deprecated": false + "url": "https://www.parrotsec.org/" }, { - "name": "ThreatIngestor (T)", + "name": "Microsoft Edge Development OS VMs (T)", "type": "url", - "url": "https://github.com/InQuest/ThreatIngestor", - "description": "Modular IOC ingestion platform for automated threat indicator extraction from multiple sources.", - "status": "live", - "pricing": "free", - "bestFor": "Automated IOC collection and enrichment", - "input": "Multiple threat feeds and RSS sources", - "output": "Aggregated and enriched IOCs in repository", - "opsec": "passive", - "opsecNote": "Passive aggregation of public threat feeds", - "localInstall": true, - "googleDork": false, - "api": true, - "invitationOnly": false, - "registration": false, - "editUrl": false, - "deprecated": false + "url": "https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/" + }, + { + "name": "Subgraph OS (T)", + "type": "url", + "url": "https://subgraph.com/index.en.html" + }, + { + "name": "Tails Live OS (T)", + "type": "url", + "url": "https://tails.boum.org/" + }, + { + "name": "Whonix (T)", + "type": "url", + "url": "https://www.whonix.org/wiki/Main_Page" } ] }, { - "name": "TTPs", + "name": "Wordlist", "type": "folder", "children": [ { - "name": "Malware Exploit TTP Database", + "name": "CeWL (T)", "type": "url", - "url": "https://www.pwnmalw.re/", - "description": "Malware exploit database documenting security vulnerabilities in malware families (offline).", - "status": "down", + "url": "https://github.com/digininja/CeWL" + }, + { + "name": "Cupp (T)", + "type": "url", + "url": "https://github.com/Mebus/cupp" + }, + { + "name": "OWASP D4N155 (T)", + "type": "url", + "url": "https://github.com/OWASP/D4N155" + }, + { + "name": "W Generator", + "type": "url", + "url": "https://app.wgen.io/" + } + ] + }, + { + "name": "Paterva / Maltego (T)", + "type": "url", + "url": "https://www.maltego.com/", + "description": "Visual link analysis tool for mapping relationships between people, companies, domains, and infrastructure.", + "status": "live", + "pricing": "freemium", + "bestFor": "Link analysis, relationship mapping, entity correlation", + "input": "Domain, email, IP, name, phone number", + "output": "Entity relationship graph, linked records, transform results", + "opsec": "active", + "opsecNote": "Transforms may query targets directly. Some data sources log lookups.", + "localInstall": true, + "googleDork": false, + "registration": true, + "editUrl": false, + "api": true, + "invitationOnly": false, + "deprecated": false + }, + { + "name": "Overview", + "type": "url", + "url": "https://www.overviewdocs.com/" + }, + { + "name": "Online Nikto scanner", + "type": "url", + "url": "https://nikto.online/" + } + ] + }, + { + "name": "AI Tools", + "type": "folder", + "children": [ + { + "name": "AI or Not", + "type": "url", + "url": "https://www.aiornot.com/" + }, + { + "name": "Copyleaks", + "type": "url", + "url": "https://copyleaks.com/" + }, + { + "name": "Decopy AI Image Detector", + "type": "url", + "url": "https://decopy.ai/ai-image-detector/" + }, + { + "name": "DeepAI AI Image Detector", + "type": "url", + "url": "https://deepai.org/ai-image-detector" + }, + { + "name": "DeepSeek", + "type": "url", + "url": "https://www.deepseek.com/" + }, + { + "name": "DocMind AI", + "type": "url", + "url": "https://github.com/BjornMelin/docmind-ai-llm" + }, + { + "name": "DuckDuckGo AI Chat", + "type": "url", + "url": "https://duckduckgo.com/aichat" + }, + { + "name": "GPTZero", + "type": "url", + "url": "https://gptzero.me/" + }, + { + "name": "Grammarly AI Detector", + "type": "url", + "url": "https://www.grammarly.com/ai-detector" + }, + { + "name": "Hive AI Generated Content Detection", + "type": "url", + "url": "https://hivemoderation.com/ai-generated-content-detection" + }, + { + "name": "Hugging Face AI Detector", + "type": "url", + "url": "https://huggingface.co/spaces/umm-maybe/AI_Detector" + }, + { + "name": "Illuminarty", + "type": "url", + "url": "https://app.illuminarty.ai/" + }, + { + "name": "Microsoft Copilot", + "type": "url", + "url": "https://copilot.microsoft.com/" + }, + { + "name": "Ollama", + "type": "url", + "url": "https://ollama.com/" + }, + { + "name": "OSINT Analyser", + "type": "url", + "url": "https://github.com/joestanding/osint-analyser" + }, + { + "name": "TrueMedia", + "type": "url", + "url": "https://www.truemedia.org/" + }, + { + "name": "WasItAI", + "type": "url", + "url": "https://wasitai.com/" + }, + { + "name": "World Monitor", + "type": "url", + "url": "https://www.worldmonitor.app/" + }, + { + "name": "You.com", + "type": "url", + "url": "https://you.com/" + } + ] + }, + { + "name": "Malicious File Analysis", + "type": "folder", + "children": [ + { + "name": "Search", + "type": "folder", + "children": [ + { + "name": "Decalage Malware Search", + "type": "url", + "url": "https://decalage.info/en/mwsearch", + "description": "Custom metasearch engine that indexes malware analysis databases to find malware samples containing specific strings, filenames, hashes, or IOCs.", + "status": "live", "pricing": "free", - "bestFor": "Malware exploit research", - "input": "Malware name or exploit query", - "output": "Exploit documentation and vulnerability details", + "bestFor": "Quick metasearch across multiple malware analysis databases by hash, string, or filename", + "input": "IOC (hash, filename, string, yara rule, VT hash)", + "output": "Links to malware analysis reports from aggregated databases", "opsec": "passive", - "opsecNote": "Passive lookup when functional", + "opsecNote": "Search-only interface; no account required; queries are directed to indexed databases", "localInstall": false, "googleDork": false, "registration": false, - "editUrl": false, + "editUrl": true, "api": false, "invitationOnly": false, - "deprecated": true + "deprecated": false }, { - "name": "Mitre TTPs", + "name": "VirusShare.com", "type": "url", - "url": "https://attack.mitre.org/", - "description": "MITRE ATT&CK framework: globally-accessible knowledge base of adversary tactics and techniques.", + "url": "https://virusshare.com/", + "description": "Repository of 111+ million live malware samples provided for security researchers, incident responders, forensic analysts, and researchers.", "status": "live", "pricing": "free", - "bestFor": "Threat modeling and TTP analysis", - "input": "Search for tactics, techniques, or threat groups", - "output": "Technique descriptions and mitigation strategies", + "bestFor": "Bulk access to malware sample collections for research and analysis", + "input": "MD5 hash, account credentials", + "output": "Malware sample files (zip archives, password protected), related IOCs", "opsec": "passive", - "opsecNote": "Passive research of public threat intelligence", + "opsecNote": "Registration required; no direct execution occurs; passive hash lookup available", + "localInstall": false, + "googleDork": false, + "registration": true, + "editUrl": true, + "api": false, + "invitationOnly": false, + "deprecated": false + }, + { + "name": "#totalhash", + "type": "url", + "url": "https://totalhash.cymru.com/", + "description": "Malware Hash Registry that searches against 30+ antivirus databases to validate malware hashes with detection percentage results. Updated daily.", + "status": "live", + "pricing": "free", + "bestFor": "Hash validation against 30+ AV engines with detection percentages", + "input": "MD5 or SHA-1 hash", + "output": "Detection percentage, last seen timestamp, signature matches from AV databases", + "opsec": "passive", + "opsecNote": "No registration required; read-only hash lookups leave minimal traces", "localInstall": false, "googleDork": false, "registration": false, - "editUrl": false, + "editUrl": true, "api": true, "invitationOnly": false, "deprecated": false - } - ] - }, - { - "name": "Terrorism & Extremism", - "type": "folder", - "children": [ + }, { - "name": "Academic Research", - "type": "folder", - "children": [ - { - "name": "Global Terrorism Database", + "name": "VX Vault", + "type": "url", + "url": "https://vxvault.net/ViriList.php", + "description": "Active collection of malware samples and related data shared among security researchers and malware analysts for threat intelligence.", + "status": "live", + "pricing": "free", + "bestFor": "Access to active malware sample collections", + "input": "Web interface browsing, malware sample queries", + "output": "Malware sample information, related indicators", + "opsec": "passive", + "opsecNote": "Web-based browsing interface; no registration typically required", + "localInstall": false, + "googleDork": false, + "registration": false, + "editUrl": false, + "api": false, + "invitationOnly": false, + "deprecated": false + }, + { + "name": "ID Ransomware", + "type": "url", + "url": "https://id-ransomware.malwarehunterteam.com/", + "description": "Free ransomware identification tool that analyzes ransom notes and encrypted file samples to identify variants and provide decryption guidance. Detects 1181+ ransomware types.", + "status": "live", + "pricing": "free", + "bestFor": "Ransomware identification and victim support", + "input": "Ransom note file, encrypted file sample, ransom email address", + "output": "Ransomware variant identification, decryption status, victim resources", + "opsec": "passive", + "opsecNote": "File uploads provide victim privacy options to protect personal data exposure", + "localInstall": false, + "googleDork": false, + "registration": false, + "editUrl": false, + "api": false, + "invitationOnly": false, + "deprecated": false + }, + { + "name": "National Software Reference Library", + "type": "url", + "url": "https://nsrl.hashsets.com/national_software_reference_library1_search.php", + "description": "NIST-maintained repository of cryptographic hash values for known, legitimate software to identify known-good files during digital forensics investigations.", + "status": "live", + "pricing": "free", + "bestFor": "Eliminating known-good files in forensic investigations and digital triage", + "input": "File hash (MD5, SHA-1, SHA-256), software query", + "output": "Hash matches to known software, file metadata, product versioning", + "opsec": "passive", + "opsecNote": "No registration required; lookup-only service; government maintained", + "localInstall": false, + "googleDork": false, + "registration": false, + "editUrl": true, + "api": false, + "invitationOnly": false, + "deprecated": false + } + ] + }, + { + "name": "Hosted Automated Analysis", + "type": "folder", + "children": [ + { + "name": "Office Files", + "type": "folder", + "children": [ + { + "name": "TYLabs QuickSand Framework", "type": "url", - "url": "https://www.start.umd.edu/research-projects/global-terrorism-database-gtd", - "description": "Academic database of terrorist attacks maintained by START at University of Maryland.", + "url": "https://scan.tylabs.com/", + "description": "Python-based malware analysis framework for analyzing Office documents and PDFs to identify exploits in decoded streams using YARA signatures.", "status": "live", - "pricing": "free", - "bestFor": "Terrorism research and analysis", - "input": "Search by attack, group, or date", - "output": "Terrorist attack records and analysis data", - "opsec": "passive", - "opsecNote": "Passive academic research database", - "localInstall": false, + "pricing": "freemium", + "bestFor": "Document and PDF malware analysis with exploit detection", + "input": "Office documents (.doc, .xls, .ppt), PDFs, emails, Postscript", + "output": "YARA signature matches, exploit detection, risk scoring, threat analysis", + "opsec": "active", + "opsecNote": "Hosted analysis requires file upload; local installation available for offline use", + "localInstall": true, "googleDork": false, "registration": false, "editUrl": false, @@ -20031,84 +20215,44 @@ "deprecated": false }, { - "name": "START Consortium for the Study of Terrorism and Responses to Terrorism", + "name": "JoeSandbox Document Analyzer", "type": "url", - "url": "https://www.start.umd.edu/", - "description": "National Consortium conducting research on terrorism causes, consequences, and responses.", + "url": "https://www.joesandbox.com/", + "description": "Hosted automated malware analysis service that performs dynamic and static analysis of files including Office documents, PDFs, and executables with comprehensive behavioral reporting.", "status": "live", - "pricing": "free", - "bestFor": "Terrorism research and education", - "input": "Research topics and publications", - "output": "Academic research and threat intelligence", - "opsec": "passive", - "opsecNote": "Passive academic research access", + "pricing": "freemium", + "bestFor": "Comprehensive malware analysis with behavioral insights and threat scoring", + "input": "Executable files, documents, PDFs, URLs, APKs (Max 30MB free tier)", + "output": "Behavioral analysis, network IOCs, detection verdicts, MITRE ATT&CK mappings, export formats (JSON, XML, HTML, PDF)", + "opsec": "active", + "opsecNote": "File uploads are processed on external sandbox; free tier limited to 30 submissions/month", "localInstall": false, "googleDork": false, "registration": false, "editUrl": false, - "api": false, + "api": true, "invitationOnly": false, "deprecated": false } ] }, { - "name": "Research Centers", + "name": "PDFs", "type": "folder", "children": [ { - "name": "CSIS Warfare, Irregular Threats, and Terrorism Program", - "type": "url", - "url": "https://www.csis.org/programs/warfare-irregular-threats-and-terrorism-program", - "description": "Research program analyzing terrorism, cyber threats, and irregular warfare.", - "status": "live", - "pricing": "free", - "bestFor": "Terrorism and threat analysis research", - "input": "Research topics and reports", - "output": "Reports and analysis on terrorism and warfare", - "opsec": "passive", - "opsecNote": "Passive access to public research", - "localInstall": false, - "googleDork": false, - "registration": false, - "editUrl": false, - "api": false, - "invitationOnly": false, - "deprecated": false - }, - { - "name": "Institute for Strategic Dialogue", - "type": "url", - "url": "https://www.isdglobal.org/", - "description": "International research organization studying conflict, extremism, and social change.", - "status": "live", - "pricing": "free", - "bestFor": "Extremism and conflict research", - "input": "Research topics and publications", - "output": "Research reports and analysis", - "opsec": "passive", - "opsecNote": "Passive access to public research", - "localInstall": false, - "googleDork": false, - "registration": false, - "editUrl": false, - "api": false, - "invitationOnly": false, - "deprecated": false - }, - { - "name": "RAND Terrorism Research", + "name": "TYLabs QuickSand Framework", "type": "url", - "url": "https://www.rand.org/topics/terrorism.html", - "description": "RAND Corporation's collection of research and analysis on terrorism topics.", + "url": "https://scan.tylabs.com/", + "description": "Python-based malware analysis framework for analyzing Office documents and PDFs to identify exploits in decoded streams using YARA signatures.", "status": "live", - "pricing": "free", - "bestFor": "Terrorism research and policy analysis", - "input": "Search for terrorism research", - "output": "Academic papers and research findings", - "opsec": "passive", - "opsecNote": "Passive access to public research", - "localInstall": false, + "pricing": "freemium", + "bestFor": "Document and PDF malware analysis with exploit detection", + "input": "Office documents (.doc, .xls, .ppt), PDFs, emails, Postscript", + "output": "YARA signature matches, exploit detection, risk scoring, threat analysis", + "opsec": "active", + "opsecNote": "Hosted analysis requires file upload; local installation available for offline use", + "localInstall": true, "googleDork": false, "registration": false, "editUrl": false, @@ -20119,41 +20263,41 @@ ] }, { - "name": "Sanctions & Watchlists", + "name": "Android", "type": "folder", "children": [ { - "name": "OFAC Sanctions List Search", + "name": "Akana Android Malware", "type": "url", - "url": "https://sanctionssearch.ofac.treas.gov/", - "description": "U.S. Treasury tool for searching SDN and sanctions lists with approximate string matching.", + "url": "https://akana.mobiseclab.org/", + "description": "Online Android Interactive Analysis Environment with plugins for analyzing malicious Android applications and APKs for suspicious behavior and malware characteristics.", "status": "live", "pricing": "free", - "bestFor": "Sanctions list lookups", - "input": "Person or entity name", - "output": "Sanctions status and entity information", - "opsec": "passive", - "opsecNote": "Government database lookup with approximate matching", + "bestFor": "Android app malware analysis and interactive examination", + "input": "Android APK files", + "output": "Malware detection results, behavioral analysis, plugin-based threat assessment", + "opsec": "active", + "opsecNote": "File uploads required; external analysis service", "localInstall": false, "googleDork": false, "registration": false, - "editUrl": true, + "editUrl": false, "api": false, "invitationOnly": false, "deprecated": false }, { - "name": "OpenSanctions", + "name": "Joe APK Analyzer", "type": "url", - "url": "https://www.opensanctions.org/", - "description": "Platform aggregating global sanctions, watchlists, and PEP data from 329 sources.", + "url": "https://www.apk-analyzer.net/", + "description": "Part of Joe Sandbox suite; performs dynamic and static analysis of Android Application Packages to detect malicious behavior and generate detailed analysis reports.", "status": "live", "pricing": "freemium", - "bestFor": "Sanctions and compliance research", - "input": "Person, company, or entity name", - "output": "Sanctions status and entity details", - "opsec": "passive", - "opsecNote": "Passive lookup of aggregated public data", + "bestFor": "Android malware analysis with dynamic behavior monitoring", + "input": "Android APK files", + "output": "Malware detection, behavioral analysis, threat intelligence IOCs", + "opsec": "active", + "opsecNote": "File uploads to external sandbox; free tier has limitations", "localInstall": false, "googleDork": false, "registration": false, @@ -20161,58 +20305,1076 @@ "api": true, "invitationOnly": false, "deprecated": false - }, - { - "name": "UN Security Council Consolidated List", - "type": "url", - "url": "https://main.un.org/securitycouncil/en/content/un-sc-consolidated-list", - "description": "Official UN Security Council list of designated individuals and entities.", - "status": "live", - "pricing": "free", - "bestFor": "UN sanctions verification", - "input": "Person or entity name", - "output": "UN designation status", - "opsec": "passive", - "opsecNote": "Passive lookup of official UN data", - "localInstall": false, - "googleDork": false, - "registration": false, - "editUrl": false, - "api": false, - "invitationOnly": false, - "deprecated": false } ] }, { - "name": "Terrorist Financing", - "type": "folder", - "children": [ - { - "name": "Terrorist Finance Tracking Program", - "type": "url", - "url": "https://home.treasury.gov/policy-issues/terrorism-and-illicit-finance/terrorist-finance-tracking-program-tftp", - "description": "U.S. Treasury program tracking terrorist financing and money laundering.", - "status": "live", - "pricing": "free", - "bestFor": "Terrorist financing intelligence", - "input": "Financial or entity information", - "output": "Financing intelligence and reports", - "opsec": "passive", - "opsecNote": "Government resource access", - "localInstall": false, - "googleDork": false, - "registration": false, - "editUrl": false, - "api": false, - "invitationOnly": false, - "deprecated": false - } - ] - } - ] - }, - { + "name": "VirusTotal", + "type": "url", + "url": "https://www.virustotal.com/gui/", + "description": "Multi-engine file and URL scanner that aggregates results from 70+ antivirus engines and threat feeds.", + "status": "live", + "pricing": "freemium", + "bestFor": "Malware analysis, URL reputation, file hash lookups", + "input": "File, file hash, URL, domain, IP address", + "output": "Detection results, behavioral analysis, community comments, related indicators", + "opsec": "passive", + "opsecNote": "Uploaded files become visible to other VirusTotal users. Hash lookups are private.", + "localInstall": false, + "googleDork": false, + "registration": true, + "editUrl": false, + "api": true, + "invitationOnly": false, + "deprecated": false + }, + { + "name": "OPSWAT Meta Defender", + "type": "url", + "url": "https://metadefender.opswat.com/#!/", + "description": "Multi-engine malware scanning service using 20+ antivirus engines with advanced threat analysis, content disarm & reconstruction, and emulation-based detection for zero-day threats.", + "status": "live", + "pricing": "freemium", + "bestFor": "Multi-engine malware detection with advanced threat analysis", + "input": "Files (all types), URLs", + "output": "Multi-engine scan results, threat verdicts, IOC extraction, file behavior analysis", + "opsec": "active", + "opsecNote": "File uploads required; free community version available with API limits", + "localInstall": false, + "googleDork": false, + "registration": false, + "editUrl": false, + "api": true, + "invitationOnly": false, + "deprecated": false + }, + { + "name": "Hybrid Analysis", + "type": "url", + "url": "https://hybrid-analysis.com/", + "description": "Free automated malware analysis service powered by CrowdStrike Falcon Sandbox. Combines runtime data with memory dump analysis to extract execution pathways and IOCs for evasive malware.", + "status": "live", + "pricing": "freemium", + "bestFor": "Advanced malware behavior analysis and evasion detection", + "input": "Files (30MB max free tier), URLs, APKs (up to 30 per month free)", + "output": "Hybrid behavioral analysis, memory dumps, disassembly, IOC extraction, behavioral indicators", + "opsec": "active", + "opsecNote": "Free tier limited to 30 uploads/month; file uploads to external sandbox infrastructure", + "localInstall": false, + "googleDork": false, + "registration": false, + "editUrl": false, + "api": true, + "invitationOnly": false, + "deprecated": false + }, + { + "name": "Malware Config", + "type": "url", + "url": "https://malwareconfig.com/", + "description": "Database for searching and analyzing extracted malware configurations by hash, domain, or IP address to track C2 infrastructure and malware attributes.", + "status": "live", + "pricing": "free", + "bestFor": "Malware configuration extraction and C2 server tracking", + "input": "SHA256 hash, domain, IP address, malware family", + "output": "Extracted malware configurations, C2 infrastructure, encrypted keys, command data", + "opsec": "passive", + "opsecNote": "Search-only interface; no file uploads required; passive lookups", + "localInstall": false, + "googleDork": false, + "registration": false, + "editUrl": true, + "api": false, + "invitationOnly": false, + "deprecated": false + }, + { + "name": "MetaDefender", + "type": "url", + "url": "https://metadefender.opswat.com/", + "description": "OPSWAT's cloud-based multi-engine malware scanning platform with advanced threat detection using 30+ antivirus engines, CDR technology, and behavioral analysis.", + "status": "live", + "pricing": "freemium", + "bestFor": "Enterprise-grade multi-engine malware detection and advanced threat analysis", + "input": "Files, URLs, streams", + "output": "Multi-engine detection results, threat verdicts, behavioral analysis, IOC extraction", + "opsec": "active", + "opsecNote": "File uploads required; commercial and free tiers available", + "localInstall": false, + "googleDork": false, + "registration": false, + "editUrl": false, + "api": true, + "invitationOnly": false, + "deprecated": false + }, + { + "name": "Ether", + "type": "url", + "url": "https://ether.gtisc.gatech.edu/web_unpack/", + "description": "Georgia Tech malware analysis framework using Intel VT hardware virtualization for transparent, stealthy malware analysis resistant to anti-analysis techniques.", + "status": "live", + "pricing": "free", + "bestFor": "Transparent malware analysis resistant to anti-analysis evasion", + "input": "Executable files, malware samples", + "output": "Fine-grained execution traces, instruction-level analysis, unpacking results, behavior extraction", + "opsec": "active", + "opsecNote": "Hosted analysis service; academic research project from Georgia Institute of Technology", + "localInstall": false, + "googleDork": false, + "registration": false, + "editUrl": false, + "api": false, + "invitationOnly": false, + "deprecated": false + }, + { + "name": "Jotti's Malware Scanner", + "type": "url", + "url": "https://virusscan.jotti.org/en-US/scan-file", + "description": "Free multi-scanner malware analysis service that submits files for analysis against 14+ antivirus engines. No installation or account setup required.", + "status": "live", + "pricing": "free", + "bestFor": "Quick multi-engine scan without installation or account setup", + "input": "Files (up to 5 concurrent, 250MB per file)", + "output": "Detection results from 14+ AV engines, file metadata, scan reports", + "opsec": "active", + "opsecNote": "No account required; file uploads to external scanning service", + "localInstall": false, + "googleDork": false, + "registration": false, + "editUrl": false, + "api": true, + "invitationOnly": false, + "deprecated": false + }, + { + "name": "Valkyrie File Analysis", + "type": "url", + "url": "https://consumer.valkyrie.comodo.com/", + "description": "Cloud-based verdict-driven malware analysis platform from Comodo using static analysis (450+ unpackers), dynamic analysis, and optional human expert analysis for unknown files.", + "status": "live", + "pricing": "freemium", + "bestFor": "Advanced malware analysis with human expert review option", + "input": "Files (all types), URLs", + "output": "File verdict, behavioral analysis results, IOC extraction, confidence scores, expert analysis", + "opsec": "active", + "opsecNote": "File uploads required; expert analysis available for premium users", + "localInstall": false, + "googleDork": false, + "registration": false, + "editUrl": false, + "api": true, + "invitationOnly": false, + "deprecated": false + }, + { + "name": "detux Linux Sandbox", + "type": "url", + "url": "https://detux.org/", + "description": "Open-source multiplatform Linux sandbox for analyzing Linux malware across multiple CPU architectures (x86, x86-64, ARM, MIPS) using QEMU emulation and traffic analysis.", + "status": "live", + "pricing": "free", + "bestFor": "Linux malware analysis across multiple architectures", + "input": "Linux executable files, malware samples", + "output": "Static analysis strings, dynamic traffic capture, IOC extraction, architecture-specific analysis", + "opsec": "active", + "opsecNote": "Open-source tool; can be deployed locally or used as hosted service", + "localInstall": true, + "googleDork": false, + "registration": false, + "editUrl": false, + "api": false, + "invitationOnly": false, + "deprecated": false + }, + { + "name": "Joe File Analyzer", + "type": "url", + "url": "https://www.file-analyzer.net/", + "description": "Part of Joe Sandbox suite; performs hybrid code analysis of PE files on Windows with detailed behavioral and system interaction reporting.", + "status": "live", + "pricing": "freemium", + "bestFor": "PE file malware analysis with system interaction tracking", + "input": "PE executable files (.exe, .dll, etc.)", + "output": "Hybrid behavioral analysis, system calls, network IOCs, threat scores", + "opsec": "active", + "opsecNote": "File uploads to Joe Sandbox infrastructure; free tier has submission limits", + "localInstall": false, + "googleDork": false, + "registration": false, + "editUrl": false, + "api": true, + "invitationOnly": false, + "deprecated": false + }, + { + "name": "Pikker.ee Cuckoo Sandbox", + "type": "url", + "url": "https://sandbox.pikker.ee/", + "description": "Public instance of Cuckoo Sandbox malware analysis system hosted in Estonia. Provides automated dynamic analysis with detailed result reporting for submitted files.", + "status": "live", + "pricing": "free", + "bestFor": "Free automated dynamic malware analysis with detailed behavioral reports", + "input": "Executable files, documents, archives", + "output": "Process monitoring, API calls, file system changes, network traffic, behavioral analysis", + "opsec": "active", + "opsecNote": "Public instance; files uploaded to external infrastructure; Estonian-hosted", + "localInstall": false, + "googleDork": false, + "registration": false, + "editUrl": false, + "api": false, + "invitationOnly": false, + "deprecated": false + }, + { + "name": "Koodous", + "type": "url", + "url": "https://koodous.com", + "description": "Collaborative platform for Android malware research and analysis with community-driven database of 70+ million Android applications with crowd-sourced malware detection.", + "status": "live", + "pricing": "freemium", + "bestFor": "Android malware analysis with community collaboration and threat intelligence", + "input": "Android APK files, package names, hashes", + "output": "Malware detection results, community analysis, threat indicators, sample sharing", + "opsec": "active", + "opsecNote": "Registration available; community platform with shared threat intelligence", + "localInstall": false, + "googleDork": false, + "registration": false, + "editUrl": false, + "api": true, + "invitationOnly": false, + "deprecated": false + }, + { + "name": "Any Run", + "type": "url", + "url": "https://app.any.run/", + "description": "Interactive malware analysis sandbox allowing real-time manual interaction with Windows, macOS, Linux, and Android environments. Fast report generation with MITRE ATT&CK mapping.", + "status": "live", + "pricing": "freemium", + "bestFor": "Interactive malware analysis with real-time system interaction", + "input": "Files, URLs, APKs, documents (platform-specific)", + "output": "Process graphs, behavioral analysis, MITRE ATT&CK TTPs, IOCs, customizable reports", + "opsec": "active", + "opsecNote": "Interactive analysis leaves traces; free tier limited to 3 public analyses/day; private mode in paid plans", + "localInstall": false, + "googleDork": false, + "registration": false, + "editUrl": false, + "api": true, + "invitationOnly": false, + "deprecated": false + }, + { + "name": "Uncover It", + "type": "url", + "url": "https://www.uncoverit.org/", + "description": "Static malware configuration extractor that quickly analyzes files without execution to extract malware configurations, C2 infrastructure, and IOCs in under 5 seconds.", + "status": "live", + "pricing": "free", + "bestFor": "Fast static malware configuration extraction", + "input": "Malware samples, executable files", + "output": "Extracted configurations, C2 servers, encryption keys, behavioral indicators", + "opsec": "passive", + "opsecNote": "Static analysis only; no code execution; quick analysis without external dependencies", + "localInstall": false, + "googleDork": false, + "registration": false, + "editUrl": false, + "api": false, + "invitationOnly": false, + "deprecated": false + } + ] + }, + { + "name": "Office Files", + "type": "folder", + "children": [ + { + "name": "Office Mal Scanner (T)", + "type": "url", + "url": "https://www.reconstructer.org/", + "description": "Malicious Office document analysis tool for analyzing and reconstructing Office documents to identify exploits and malicious content.", + "status": "live", + "pricing": "free", + "bestFor": "Malicious Office document analysis and reconstruction", + "input": "Microsoft Office documents (.doc, .xls, .ppt)", + "output": "Document structure analysis, malicious content extraction, exploit identification", + "opsec": "active", + "opsecNote": "Document upload required; analysis service online", + "localInstall": false, + "googleDork": false, + "registration": false, + "editUrl": false, + "api": false, + "invitationOnly": false, + "deprecated": false + }, + { + "name": "OffVis (T)", + "type": "url", + "url": "https://download.microsoft.com/download/1/2/7/127ba59a-4fe1-4acd-ba47-513ceef85a85/OffVis.zip", + "description": "Microsoft Office Visualization Tool for analyzing Office binary files to identify exploits and malicious structures. Displays hex and object tree views.", + "status": "live", + "pricing": "free", + "bestFor": "Office binary file format analysis and exploit detection", + "input": "Office binary files (.doc, .xls, .ppt, .pps, .pot)", + "output": "File structure visualization, hex dump, object trees, vulnerability detection", + "opsec": "passive", + "opsecNote": "Local desktop application; no file uploads; Microsoft-provided tool", + "localInstall": true, + "googleDork": false, + "registration": false, + "editUrl": false, + "api": false, + "invitationOnly": false, + "deprecated": false + } + ] + }, + { + "name": "PDFs", + "type": "folder", + "children": [ + { + "name": "PDF Tools (T)", + "type": "url", + "url": "https://blog.didierstevens.com/programs/pdf-tools/", + "description": "Free suite of PDF analysis tools by Didier Stevens including pdfid (keyword scanning) and pdf-parser.py for analyzing malicious PDF documents and extracting embedded objects.", + "status": "live", + "pricing": "free", + "bestFor": "PDF structure analysis and malicious object extraction", + "input": "PDF files", + "output": "PDF keyword identification, object parsing, embedded JavaScript detection, IOC extraction", + "opsec": "passive", + "opsecNote": "Command-line tools; local execution; open-source from reputable security researcher", + "localInstall": true, + "googleDork": false, + "registration": false, + "editUrl": false, + "api": false, + "invitationOnly": false, + "deprecated": false + }, + { + "name": "Origami Framework (T)", + "type": "url", + "url": "https://code.google.com/archive/p/origami-pdf/", + "description": "Ruby framework for parsing, analyzing, and forging PDF documents. Includes PDF Walker GUI and PDFcop heuristic checker for detecting dangerous PDF content.", + "status": "live", + "pricing": "free", + "bestFor": "PDF parsing and manipulation for malicious PDF analysis", + "input": "PDF files, PDF objects, malicious content", + "output": "Parsed PDF structure, extracted objects, deobfuscated content, modified PDFs", + "opsec": "passive", + "opsecNote": "Open-source framework; local installation required; no file uploads", + "localInstall": true, + "googleDork": false, + "registration": false, + "editUrl": false, + "api": false, + "invitationOnly": false, + "deprecated": false + } + ] + }, + { + "name": "PCAPs", + "type": "folder", + "children": [ + { + "name": "Malware-Traffic-Analysis.net", + "type": "url", + "url": "https://www.malware-traffic-analysis.net/index.html", + "description": "Training resource and PCAP repository providing network traffic captures from malware infections since 2013. Includes tutorials and exercises for malware traffic analysis.", + "status": "live", + "pricing": "free", + "bestFor": "Malware network behavior analysis and training exercises", + "input": "PCAP files, network traffic captures", + "output": "Network indicators (IPs, domains, C2 servers), behavioral analysis, post-exploitation patterns", + "opsec": "passive", + "opsecNote": "PCAP analysis is passive; no live malware execution; educational resource", + "localInstall": false, + "googleDork": false, + "registration": false, + "editUrl": false, + "api": false, + "invitationOnly": false, + "deprecated": false + } + ] + }, + { + "name": "Ghidra (T)", + "type": "url", + "url": "https://github.com/NationalSecurityAgency/ghidra", + "description": "Free and open-source reverse engineering framework from NSA for analyzing compiled software. Includes disassembly, decompilation, scripting, and interactive graphing for malware analysis.", + "status": "live", + "pricing": "free", + "bestFor": "Reverse engineering and static malware analysis", + "input": "Executable files (ELF, PE, Mach-O, raw binaries), multiple architectures", + "output": "Disassembly, decompiled code, control flow graphs, function analysis, custom scripts", + "opsec": "passive", + "opsecNote": "Local desktop application; no file uploads; open-source from NSA", + "localInstall": true, + "googleDork": false, + "registration": false, + "editUrl": false, + "api": true, + "invitationOnly": false, + "deprecated": false + }, + { + "name": "Malware Analysis Tools", + "type": "url", + "url": "https://malwareanalysis.tools/", + "description": "Curated resource and reference guide for malware analysis tools with recommendations for virtualization, safety practices, and tool selection for analysis scenarios.", + "status": "live", + "pricing": "free", + "bestFor": "Malware analysis tool discovery and best practices reference", + "input": "Tool research, methodology guidance", + "output": "Tool recommendations, analysis methodologies, safety practices, learning resources", + "opsec": "passive", + "opsecNote": "Reference resource only; no file uploads or active analysis", + "localInstall": false, + "googleDork": false, + "registration": false, + "editUrl": false, + "api": false, + "invitationOnly": false, + "deprecated": false + }, + { + "name": "virustotal", + "type": "url", + "url": "https://www.virustotal.com/gui/home/upload", + "description": "Free online service that analyzes files and URLs for viruses, trojans and malicious content detected by 70+ antivirus engines and URL/domain reputation services.", + "status": "live", + "pricing": "freemium", + "bestFor": "Multi-engine malware scanning and URL reputation lookup", + "input": "Files, URLs, domains, IP addresses, file hashes", + "output": "Detection results from 70+ AV engines, behavioral analysis, file insights, related samples", + "opsec": "passive", + "opsecNote": "File uploads are indexed and visible to other users; hash-only queries are private", + "localInstall": false, + "googleDork": false, + "registration": true, + "editUrl": false, + "api": true, + "invitationOnly": false, + "deprecated": false + } + ] + }, + { + "name": "Exploits & Advisories", + "type": "folder", + "children": [ + { + "name": "Default Passwords", + "type": "folder", + "children": [ + { + "name": "Default Passwords DB", + "type": "url", + "url": "https://cirt.net/passwords/" + }, + { + "name": "Default passwords list", + "type": "url", + "url": "https://default-password.info/" + }, + { + "name": "Default Password Lookup Utility", + "type": "url", + "url": "https://fortypoundhead.com/tools_dpw.asp" + }, + { + "name": "Phenoelit Default Password List", + "type": "url", + "url": "https://phenoelit.org/dpl/dpl.html" + }, + { + "name": "Default Router Passwords", + "type": "url", + "url": "https://www.routerpasswords.com/" + }, + { + "name": "Open Sez Me Default Passwords", + "type": "url", + "url": "https://open-sez.me/" + }, + { + "name": "Hashes.org", + "type": "url", + "url": "https://hashes.org/" + } + ] + }, + { + "name": "Vulert: Updated Open Source Vulnerability Database", + "type": "url", + "url": "https://vulert.com/vuln-db" + }, + { + "name": "MITRE ATT&CK", + "type": "url", + "url": "https://attack.mitre.org/" + }, + { + "name": "Exploit DB", + "type": "url", + "url": "https://www.exploit-db.com/" + }, + { + "name": "Packet Storm", + "type": "url", + "url": "https://packetstormsecurity.com/" + }, + { + "name": "SecurityFocus", + "type": "url", + "url": "https://www.securityfocus.com/bid" + }, + { + "name": "NVD - NIST", + "type": "url", + "url": "https://nvd.nist.gov/" + }, + { + "name": "OSV Vulnerability Library", + "type": "url", + "url": "https://osv.dev/list" + }, + { + "name": "CVE Details", + "type": "url", + "url": "https://www.cvedetails.com/" + }, + { + "name": "CVE - MITRE", + "type": "url", + "url": "https://www.cve.org/" + }, + { + "name": "OWASP", + "type": "url", + "url": "https://www.owasp.org/index.php/Main_Page" + }, + { + "name": "Secunia", + "type": "url", + "url": "https://secuniaresearch.flexerasoftware.com/community/research/" + }, + { + "name": "Australian Cyber Security Centre", + "type": "url", + "url": "https://www.cyber.gov.au/" + }, + { + "name": "Canadian Centre for Cyber Security", + "type": "url", + "url": "https://www.cyber.gc.ca/" + } + ] + }, + { + "name": "Threat Intelligence", + "type": "folder", + "children": [ + { + "name": "Phishing", + "type": "folder", + "children": [ + { + "name": "SecAI.ai", + "type": "url", + "url": "https://secai.ai/research", + "description": "Security research platform providing threat intelligence, vulnerability analysis, and cybersecurity insights with focus on emerging threats.", + "status": "live", + "pricing": "free", + "bestFor": "Security research and threat intelligence", + "input": "Threat indicator or research topic", + "output": "Research articles and threat analysis", + "opsec": "passive", + "opsecNote": "Passive threat intelligence platform", + "localInstall": false, + "googleDork": false, + "invitationOnly": false, + "registration": false, + "editUrl": false, + "api": false, + "deprecated": false + }, + { + "name": "https://openphish.com/feed.txt", + "type": "url", + "url": "https://openphish.com/feed.txt", + "description": "Real-time phishing URL feed providing confirmed malicious phishing sites updated continuously.", + "status": "live", + "pricing": "free", + "bestFor": "Phishing URL detection", + "input": "Feed subscription or URL lookup", + "output": "Phishing URLs and malicious domains", + "opsec": "passive", + "opsecNote": "Passive feed consumption of public phishing data", + "localInstall": false, + "googleDork": false, + "api": true, + "invitationOnly": false, + "registration": false, + "editUrl": false, + "deprecated": false + }, + { + "name": "PhishTank", + "type": "url", + "url": "https://www.phishtank.com/", + "description": "Community-driven phishing URL database where users submit and verify suspected phishing sites.", + "status": "live", + "pricing": "free", + "bestFor": "Phishing site verification", + "input": "Phishing URL or suspected malicious site", + "output": "Phishing status and community verification votes", + "opsec": "passive", + "opsecNote": "Passive lookup of community-reported database", + "localInstall": false, + "googleDork": false, + "editUrl": true, + "api": true, + "invitationOnly": false, + "registration": false, + "deprecated": false + }, + { + "name": "PhishStats", + "type": "url", + "url": "https://phishstats.info/", + "description": "Phishing detection and analysis platform providing statistics on campaigns and domain intelligence.", + "status": "live", + "pricing": "free", + "bestFor": "Phishing campaign analysis", + "input": "Domain, IP, or keyword", + "output": "Campaign tracking and threat profiles", + "opsec": "passive", + "opsecNote": "Passive querying of phishing statistics database", + "localInstall": false, + "googleDork": false, + "api": true, + "invitationOnly": false, + "registration": false, + "editUrl": false, + "deprecated": false + } + ] + }, + { + "name": "IOC Tools", + "type": "folder", + "children": [ + { + "name": "Jager", + "type": "url", + "url": "https://github.com/sroberts/jager", + "description": "Python IOC aggregation and analysis tool for collecting and organizing security indicators.", + "status": "live", + "pricing": "free", + "bestFor": "IOC collection and aggregation", + "input": "IOC feeds or indicator lists", + "output": "Aggregated IOC database in standardized format", + "opsec": "passive", + "opsecNote": "Local processing of public feeds", + "localInstall": true, + "googleDork": false, + "api": true, + "invitationOnly": false, + "registration": false, + "editUrl": false, + "deprecated": false + }, + { + "name": "IOC Parser", + "type": "url", + "url": "https://github.com/armbues/ioc_parser", + "description": "Python library for extracting and parsing IOCs from raw text and security reports.", + "status": "live", + "pricing": "free", + "bestFor": "IOC extraction from reports", + "input": "Raw text or security reports", + "output": "Parsed IOCs in structured format", + "opsec": "passive", + "opsecNote": "Local text analysis without network interaction", + "localInstall": true, + "googleDork": false, + "invitationOnly": false, + "registration": false, + "editUrl": false, + "api": false, + "deprecated": false + }, + { + "name": "Cacador", + "type": "url", + "url": "https://github.com/sroberts/cacador", + "description": "Python tool for indicator extraction and deduplication from threat intelligence documents.", + "status": "live", + "pricing": "free", + "bestFor": "Indicator extraction and deduplication", + "input": "Documents and threat feeds", + "output": "Extracted and deduplicated IOCs", + "opsec": "passive", + "opsecNote": "Local processing tool for passive analysis", + "localInstall": true, + "googleDork": false, + "invitationOnly": false, + "registration": false, + "editUrl": false, + "api": false, + "deprecated": false + }, + { + "name": "ThreatPinch Lookup", + "type": "url", + "url": "https://github.com/cloudtracer/ThreatPinchLookup", + "description": "Browser extension and Python tool for enriching IOCs with real-time threat intelligence.", + "status": "live", + "pricing": "free", + "bestFor": "Indicator enrichment", + "input": "IOC or domain/IP/hash", + "output": "Enriched threat intelligence from multiple sources", + "opsec": "passive", + "opsecNote": "Passive lookup of public threat intel APIs", + "localInstall": true, + "googleDork": false, + "api": true, + "invitationOnly": false, + "registration": false, + "editUrl": false, + "deprecated": false + }, + { + "name": "Mimir", + "type": "url", + "url": "https://github.com/NullArray/Mimir", + "description": "IOC extraction and validation tool from security reports (unmaintained).", + "status": "live", + "pricing": "free", + "bestFor": "IOC extraction and validation", + "input": "Security reports and documents", + "output": "Validated IOCs in structured format", + "opsec": "passive", + "opsecNote": "Local processing tool for passive extraction", + "localInstall": true, + "googleDork": false, + "invitationOnly": false, + "deprecated": true, + "registration": false, + "editUrl": false, + "api": false + }, + { + "name": "iocextract (T)", + "type": "url", + "url": "https://github.com/InQuest/iocextract", + "description": "Python library and CLI tool for rapid IOC extraction with support for obfuscated indicators.", + "status": "live", + "pricing": "free", + "bestFor": "IOC extraction with deobfuscation", + "input": "Raw text with obfuscated indicators", + "output": "Extracted IOCs including decoded variants", + "opsec": "passive", + "opsecNote": "Local text parsing without network interaction", + "localInstall": true, + "googleDork": false, + "invitationOnly": false, + "registration": false, + "editUrl": false, + "api": false, + "deprecated": false + }, + { + "name": "ThreatIngestor (T)", + "type": "url", + "url": "https://github.com/InQuest/ThreatIngestor", + "description": "Modular IOC ingestion platform for automated threat indicator extraction from multiple sources.", + "status": "live", + "pricing": "free", + "bestFor": "Automated IOC collection and enrichment", + "input": "Multiple threat feeds and RSS sources", + "output": "Aggregated and enriched IOCs in repository", + "opsec": "passive", + "opsecNote": "Passive aggregation of public threat feeds", + "localInstall": true, + "googleDork": false, + "api": true, + "invitationOnly": false, + "registration": false, + "editUrl": false, + "deprecated": false + } + ] + }, + { + "name": "TTPs", + "type": "folder", + "children": [ + { + "name": "Malware Exploit TTP Database", + "type": "url", + "url": "https://www.pwnmalw.re/", + "description": "Malware exploit database documenting security vulnerabilities in malware families (offline).", + "status": "down", + "pricing": "free", + "bestFor": "Malware exploit research", + "input": "Malware name or exploit query", + "output": "Exploit documentation and vulnerability details", + "opsec": "passive", + "opsecNote": "Passive lookup when functional", + "localInstall": false, + "googleDork": false, + "registration": false, + "editUrl": false, + "api": false, + "invitationOnly": false, + "deprecated": true + }, + { + "name": "Mitre TTPs", + "type": "url", + "url": "https://attack.mitre.org/", + "description": "MITRE ATT&CK framework: globally-accessible knowledge base of adversary tactics and techniques.", + "status": "live", + "pricing": "free", + "bestFor": "Threat modeling and TTP analysis", + "input": "Search for tactics, techniques, or threat groups", + "output": "Technique descriptions and mitigation strategies", + "opsec": "passive", + "opsecNote": "Passive research of public threat intelligence", + "localInstall": false, + "googleDork": false, + "registration": false, + "editUrl": false, + "api": true, + "invitationOnly": false, + "deprecated": false + } + ] + }, + { + "name": "Terrorism & Extremism", + "type": "folder", + "children": [ + { + "name": "Academic Research", + "type": "folder", + "children": [ + { + "name": "Global Terrorism Database", + "type": "url", + "url": "https://www.start.umd.edu/research-projects/global-terrorism-database-gtd", + "description": "Academic database of terrorist attacks maintained by START at University of Maryland.", + "status": "live", + "pricing": "free", + "bestFor": "Terrorism research and analysis", + "input": "Search by attack, group, or date", + "output": "Terrorist attack records and analysis data", + "opsec": "passive", + "opsecNote": "Passive academic research database", + "localInstall": false, + "googleDork": false, + "registration": false, + "editUrl": false, + "api": false, + "invitationOnly": false, + "deprecated": false + }, + { + "name": "START Consortium for the Study of Terrorism and Responses to Terrorism", + "type": "url", + "url": "https://www.start.umd.edu/", + "description": "National Consortium conducting research on terrorism causes, consequences, and responses.", + "status": "live", + "pricing": "free", + "bestFor": "Terrorism research and education", + "input": "Research topics and publications", + "output": "Academic research and threat intelligence", + "opsec": "passive", + "opsecNote": "Passive academic research access", + "localInstall": false, + "googleDork": false, + "registration": false, + "editUrl": false, + "api": false, + "invitationOnly": false, + "deprecated": false + } + ] + }, + { + "name": "Research Centers", + "type": "folder", + "children": [ + { + "name": "CSIS Warfare, Irregular Threats, and Terrorism Program", + "type": "url", + "url": "https://www.csis.org/programs/warfare-irregular-threats-and-terrorism-program", + "description": "Research program analyzing terrorism, cyber threats, and irregular warfare.", + "status": "live", + "pricing": "free", + "bestFor": "Terrorism and threat analysis research", + "input": "Research topics and reports", + "output": "Reports and analysis on terrorism and warfare", + "opsec": "passive", + "opsecNote": "Passive access to public research", + "localInstall": false, + "googleDork": false, + "registration": false, + "editUrl": false, + "api": false, + "invitationOnly": false, + "deprecated": false + }, + { + "name": "Institute for Strategic Dialogue", + "type": "url", + "url": "https://www.isdglobal.org/", + "description": "International research organization studying conflict, extremism, and social change.", + "status": "live", + "pricing": "free", + "bestFor": "Extremism and conflict research", + "input": "Research topics and publications", + "output": "Research reports and analysis", + "opsec": "passive", + "opsecNote": "Passive access to public research", + "localInstall": false, + "googleDork": false, + "registration": false, + "editUrl": false, + "api": false, + "invitationOnly": false, + "deprecated": false + }, + { + "name": "RAND Terrorism Research", + "type": "url", + "url": "https://www.rand.org/topics/terrorism.html", + "description": "RAND Corporation's collection of research and analysis on terrorism topics.", + "status": "live", + "pricing": "free", + "bestFor": "Terrorism research and policy analysis", + "input": "Search for terrorism research", + "output": "Academic papers and research findings", + "opsec": "passive", + "opsecNote": "Passive access to public research", + "localInstall": false, + "googleDork": false, + "registration": false, + "editUrl": false, + "api": false, + "invitationOnly": false, + "deprecated": false + } + ] + }, + { + "name": "Sanctions & Watchlists", + "type": "folder", + "children": [ + { + "name": "OFAC Sanctions List Search", + "type": "url", + "url": "https://sanctionssearch.ofac.treas.gov/", + "description": "U.S. Treasury tool for searching SDN and sanctions lists with approximate string matching.", + "status": "live", + "pricing": "free", + "bestFor": "Sanctions list lookups", + "input": "Person or entity name", + "output": "Sanctions status and entity information", + "opsec": "passive", + "opsecNote": "Government database lookup with approximate matching", + "localInstall": false, + "googleDork": false, + "registration": false, + "editUrl": true, + "api": false, + "invitationOnly": false, + "deprecated": false + }, + { + "name": "OpenSanctions", + "type": "url", + "url": "https://www.opensanctions.org/", + "description": "Platform aggregating global sanctions, watchlists, and PEP data from 329 sources.", + "status": "live", + "pricing": "freemium", + "bestFor": "Sanctions and compliance research", + "input": "Person, company, or entity name", + "output": "Sanctions status and entity details", + "opsec": "passive", + "opsecNote": "Passive lookup of aggregated public data", + "localInstall": false, + "googleDork": false, + "registration": false, + "editUrl": false, + "api": true, + "invitationOnly": false, + "deprecated": false + }, + { + "name": "UN Security Council Consolidated List", + "type": "url", + "url": "https://main.un.org/securitycouncil/en/content/un-sc-consolidated-list", + "description": "Official UN Security Council list of designated individuals and entities.", + "status": "live", + "pricing": "free", + "bestFor": "UN sanctions verification", + "input": "Person or entity name", + "output": "UN designation status", + "opsec": "passive", + "opsecNote": "Passive lookup of official UN data", + "localInstall": false, + "googleDork": false, + "registration": false, + "editUrl": false, + "api": false, + "invitationOnly": false, + "deprecated": false + } + ] + }, + { + "name": "Terrorist Financing", + "type": "folder", + "children": [ + { + "name": "Terrorist Finance Tracking Program", + "type": "url", + "url": "https://home.treasury.gov/policy-issues/terrorism-and-illicit-finance/terrorist-finance-tracking-program-tftp", + "description": "U.S. Treasury program tracking terrorist financing and money laundering.", + "status": "live", + "pricing": "free", + "bestFor": "Terrorist financing intelligence", + "input": "Financial or entity information", + "output": "Financing intelligence and reports", + "opsec": "passive", + "opsecNote": "Government resource access", + "localInstall": false, + "googleDork": false, + "registration": false, + "editUrl": false, + "api": false, + "invitationOnly": false, + "deprecated": false + } + ] + } + ] + }, + { "name": "IBM X-Force Exchange", "type": "url", "url": "https://exchange.xforce.ibmcloud.com/", @@ -20857,312 +22019,1114 @@ "url": "https://www.optoutprescreen.com/?rf=t" }, { - "name": "Credit Freeze", + "name": "Credit Freeze", + "type": "url", + "url": "https://inteltechniques.com/blog/2018/09/28/complete-credit-freeze-tutorial-update/" + }, + { + "name": "Fake US Identities", + "type": "url", + "url": "https://xdd2.org/" + }, + { + "name": "Social Media Fingerprint", + "type": "url", + "url": "https://robinlinus.github.io/socialmedia-leak/" + }, + { + "name": "Privacy Tools", + "type": "url", + "url": "https://www.privacytools.io/" + }, + { + "name": "Panopticlick", + "type": "url", + "url": "https://panopticlick.eff.org/" + }, + { + "name": "Intel Techniques - Hiding from the Internet", + "type": "url", + "url": "https://inteltechniques.com/data/workbook.pdf" + }, + { + "name": "The Many Hats Club - Privacy Resources", + "type": "url", + "url": "https://themanyhats.club/centralised-place-for-privacy-resources/" + }, + { + "name": "The Hitchhiker’s Guide to Online Anonymity", + "type": "url", + "url": "https://anonymousplanet.org/guide/" + }, + { + "name": "Awesome Opt-Out Guide 2026", + "type": "url", + "url": "https://github.com/thumpersecure/opt-out-manual-2026" + } + ] + }, + { + "name": "Metadata / Style", + "type": "folder", + "children": [ + { + "name": "Anonymouth - Document Anonymization (T)", + "type": "url", + "url": "https://github.com/psal/anonymouth" + }, + { + "name": "MAT2 (T)", + "type": "url", + "url": "https://0xacab.org/jvoisin/mat2" + } + ] + } + ] + }, + { + "name": "Documentation / Evidence Capture", + "type": "folder", + "children": [ + { + "name": "Web Browsing", + "type": "folder", + "children": [ + { + "name": "Forensic OSINT (T)", + "type": "url", + "url": "https://www.forensicosint.com/" + }, + { + "name": "Fiddler (T)", + "type": "url", + "url": "https://www.telerik.com/download/fiddler" + }, + { + "name": "Burp Suite (T)", + "type": "url", + "url": "https://portswigger.net/burp/download.html" + }, + { + "name": "Page2Images (T)", "type": "url", - "url": "https://inteltechniques.com/blog/2018/09/28/complete-credit-freeze-tutorial-update/" + "url": "https://www.page2images.com/URL-Live-Website-Screenshot-Generator" }, { - "name": "Fake US Identities", + "name": "Archive.is", "type": "url", - "url": "https://xdd2.org/" + "url": "https://archive.is/" }, { - "name": "Social Media Fingerprint", + "name": "Web Page Saver", "type": "url", - "url": "https://robinlinus.github.io/socialmedia-leak/" + "url": "https://www.magnetforensics.com/resources/web-page-saver/" }, { - "name": "Privacy Tools", + "name": "Snapper (T)", "type": "url", - "url": "https://www.privacytools.io/" + "url": "https://github.com/dxa4481/Snapper" }, { - "name": "Panopticlick", + "name": "Full Page Screen Capture Chrome Extension (T)", "type": "url", - "url": "https://panopticlick.eff.org/" + "url": "https://github.com/mrcoles/full-page-screen-capture-chrome-extension" }, { - "name": "Intel Techniques - Hiding from the Internet", + "name": "EZR OSINT Sidebar (T)", "type": "url", - "url": "https://inteltechniques.com/data/workbook.pdf" - }, + "url": "https://chromewebstore.google.com/detail/ezr-osint-sidebar/joagbbgciboooipadijeaoidjjigdmof" + } + ] + }, + { + "name": "Screen Capture", + "type": "folder", + "children": [ { - "name": "The Many Hats Club - Privacy Resources", + "name": "FRAPS (T)", "type": "url", - "url": "https://themanyhats.club/centralised-place-for-privacy-resources/" + "url": "https://fraps.com/" }, { - "name": "The Hitchhiker’s Guide to Online Anonymity", + "name": "ShareX (T)", "type": "url", - "url": "https://anonymousplanet.org/guide/" + "url": "https://getsharex.com/" }, { - "name": "Awesome Opt-Out Guide 2026", + "name": "Greenshot (T)", "type": "url", - "url": "https://github.com/thumpersecure/opt-out-manual-2026" + "url": "https://getgreenshot.org/" } ] }, { - "name": "Metadata / Style", + "name": "Map Locations", "type": "folder", "children": [ { - "name": "Anonymouth - Document Anonymization (T)", + "name": "Google Street View - Hyperlapse", "type": "url", - "url": "https://github.com/psal/anonymouth" + "url": "https://github.com/TeehanLax/Hyperlapse.js" }, { - "name": "MAT2 (T)", + "name": "ZeeMaps", "type": "url", - "url": "https://0xacab.org/jvoisin/mat2" + "url": "https://www.zeemaps.com/" } ] + }, + { + "name": "Timeline JS3", + "type": "url", + "url": "https://timeline.knightlab.com/" } ] }, { - "name": "Documentation / Evidence Capture", + "name": "Training", "type": "folder", "children": [ { - "name": "Web Browsing", + "name": "Games", "type": "folder", "children": [ { - "name": "Forensic OSINT (T)", + "name": "GeoGuesser", "type": "url", - "url": "https://www.forensicosint.com/" + "url": "https://www.geoguessr.com/", + "description": "Geography game for geolocation OSINT training; users observe visual clues in Street View panoramas to guess locations worldwide.", + "status": "live", + "pricing": "freemium", + "bestFor": "Geolocation skills, visual intelligence analysis, landmark identification", + "input": "Street View imagery, map interface", + "output": "Accuracy score, location guess feedback, player rankings", + "opsec": "passive", + "opsecNote": "No active reconnaissance; purely observational gameplay using public imagery.", + "localInstall": false, + "googleDork": false, + "registration": true, + "editUrl": false, + "api": true, + "invitationOnly": false, + "deprecated": false }, { - "name": "Fiddler (T)", + "name": "Verif!cation Quiz Bot", "type": "url", - "url": "https://www.telerik.com/download/fiddler" + "url": "https://x.com/quiztime", + "description": "Daily OSINT verification challenges posted on X (Twitter), using a community-driven quiz format for image geolocation and source verification.", + "status": "live", + "pricing": "free", + "bestFor": "Community OSINT challenges, image verification techniques, collaborative research", + "input": "Shared images and verification questions from quizmasters", + "output": "Community discussion threads, solution walkthroughs, and learning outcomes", + "opsec": "passive", + "opsecNote": "No active probing; public community engagement via social replies.", + "localInstall": false, + "googleDork": false, + "registration": true, + "editUrl": false, + "api": false, + "invitationOnly": false, + "deprecated": false + } + ] + }, + { + "name": "Forensic OSINT KB Guides", + "type": "url", + "url": "https://www.forensicosint.com/osint-guide", + "description": "Knowledge base of digital forensics guides for evidence capture and court-admissible documentation, including web capture and metadata analysis.", + "status": "live", + "pricing": "freemium", + "bestFor": "Digital evidence preservation, chain-of-custody documentation, court-ready OSINT reporting", + "input": "Target URLs or digital media requiring forensic capture", + "output": "Timestamped artifacts, metadata analysis guidance, preserved evidence workflows", + "opsec": "passive", + "opsecNote": "Evidence collection focus; requires proper methodology for investigative and legal contexts.", + "localInstall": false, + "googleDork": false, + "registration": true, + "editUrl": false, + "api": false, + "invitationOnly": false, + "deprecated": false + }, + { + "name": "Open Source Intelligence Techniques", + "type": "url", + "url": "https://inteltechniques.com/", + "description": "Professional OSINT training and certification by IntelTechniques with extensive video modules, documentation, and practical investigative exercises.", + "status": "live", + "pricing": "paid", + "bestFor": "Professional OSINT certification, structured curriculum, advanced investigative techniques", + "input": "Student participation in course modules, notes, and guided practical exercises", + "output": "Course completion, certification-track readiness, and advanced OSINT methodology", + "opsec": "passive", + "opsecNote": "Instructor-led educational platform focused on passive investigative methodology.", + "localInstall": false, + "googleDork": false, + "registration": true, + "editUrl": false, + "api": false, + "invitationOnly": false, + "deprecated": false + }, + { + "name": "Plessas", + "type": "url", + "url": "https://plessas.net/online-training", + "description": "Expert-led OSINT training courses by Plessas Experts Network, from fundamentals to intensive hands-on investigation programs.", + "status": "live", + "pricing": "paid", + "bestFor": "Professional investigative training, corporate intelligence, legal and compliance investigations", + "input": "Structured coursework, practical OSINT exercises, and instructor interaction", + "output": "Course completion outcomes, investigative skill development, and training credentials", + "opsec": "passive", + "opsecNote": "Educational environment centered on passive research techniques.", + "localInstall": false, + "googleDork": false, + "registration": true, + "editUrl": false, + "api": false, + "invitationOnly": false, + "deprecated": false + }, + { + "name": "The OSINTion", + "type": "url", + "url": "https://www.theosintion.com/courses", + "description": "Affordable OSINT training courses by Joe Gray, including people OSINT, business investigations, and blockchain-focused instruction.", + "status": "live", + "pricing": "paid", + "bestFor": "Accessible OSINT courses, CTF-style learning, people and business intelligence workflows", + "input": "Live or remote class participation, practical exercises, and case-study analysis", + "output": "Completed coursework, practical investigative techniques, and reusable OSINT workflows", + "opsec": "passive", + "opsecNote": "Training-focused environment without active network probing requirements.", + "localInstall": false, + "googleDork": false, + "registration": true, + "editUrl": false, + "api": false, + "invitationOnly": false, + "deprecated": false + }, + { + "name": "Smart Questions", + "type": "url", + "url": "https://www.catb.org/esr/faqs/smart-questions.html", + "description": "Foundational guide by Eric S. Raymond on asking effective technical questions in open-source and technical communities.", + "status": "live", + "pricing": "free", + "bestFor": "Research methodology, effective questioning, and stronger information-seeking habits", + "input": "Reader engagement with essay guidelines and practical examples", + "output": "Improved question framing, clearer research requests, and better community responses", + "opsec": "passive", + "opsecNote": "Pure methodology reference; no target interaction or probing.", + "localInstall": false, + "googleDork": false, + "registration": false, + "editUrl": false, + "api": false, + "invitationOnly": false, + "deprecated": false + } + ] + }, + { + "name": "Mobile Safety", + "type": "folder", + "children": [ + { + "name": "Mobile Security Analysis", + "type": "folder", + "children": [ + { + "name": "Warden", + "type": "url", + "url": "https://github.com/com-480-data-visualization/project-2024-data-warden", + "description": "Open-source Android application that detects and logs mobile trackers, spyware, and hidden file access attempts. Provides real-time monitoring of app permissions and suspicious activities.", + "status": "live", + "pricing": "free", + "bestFor": "Android mobile security monitoring, tracker detection, app permission analysis", + "input": "Install app on Android device and enable monitoring permissions", + "output": "Real-time alerts on tracker activity, suspicious file access, permission violations", + "opsec": "passive", + "opsecNote": "Local device analysis; no external communication required for basic functionality", + "localInstall": true, + "googleDork": false, + "registration": false, + "editUrl": false, + "api": false, + "invitationOnly": false, + "deprecated": false }, { - "name": "Burp Suite (T)", + "name": "ADB - Android Debug Bridge (T)", "type": "url", - "url": "https://portswigger.net/burp/download.html" + "url": "https://developer.android.com/studio/command-line/adb", + "description": "Google's official command-line tool for communicating with Android devices. Enables app installation, device forensics, and system analysis for security researchers.", + "status": "live", + "pricing": "free", + "bestFor": "Android device forensics, app analysis, system-level mobile investigation", + "input": "Connected Android device and command-line queries", + "output": "System logs, app package details, file access history, device information", + "opsec": "passive", + "opsecNote": "Local tool; requires physical access or USB debugging enabled on target device", + "localInstall": true, + "googleDork": false, + "registration": false, + "editUrl": false, + "api": false, + "invitationOnly": false, + "deprecated": false }, { - "name": "Page2Images (T)", + "name": "Frida (T)", "type": "url", - "url": "https://www.page2images.com/URL-Live-Website-Screenshot-Generator" + "url": "https://frida.re/", + "description": "Open-source dynamic instrumentation toolkit for inspecting and modifying app behavior on iOS and Android without source code modifications.", + "status": "live", + "pricing": "free", + "bestFor": "Mobile app runtime analysis, behavior monitoring, anti-reverse-engineering bypass", + "input": "Target app package name and Frida scripts", + "output": "Real-time app behavior, intercepted method calls, memory dumps", + "opsec": "active", + "opsecNote": "Advanced tool; app behavior modification may be detectable by security measures", + "localInstall": true, + "googleDork": false, + "registration": false, + "editUrl": false, + "api": true, + "invitationOnly": false, + "deprecated": false }, { - "name": "Archive.is", + "name": "Burp Suite Community Edition (T)", "type": "url", - "url": "https://archive.is/" + "url": "https://portswigger.net/burp/communitydownload", + "description": "Free web security testing tool that can intercept mobile app traffic via proxy for API analysis and data exposure identification.", + "status": "live", + "pricing": "free", + "bestFor": "Mobile app API analysis, traffic interception, data leakage detection", + "input": "Proxy configuration and mobile app traffic", + "output": "Intercepted requests/responses, API endpoint analysis, sensitive data detection", + "opsec": "active", + "opsecNote": "App traffic interception; may trigger security alerts if app has certificate pinning", + "localInstall": true, + "googleDork": false, + "registration": false, + "editUrl": false, + "api": false, + "invitationOnly": false, + "deprecated": false }, { - "name": "Web Page Saver", + "name": "MobSF - Mobile Security Framework (T)", "type": "url", - "url": "https://www.magnetforensics.com/resources/web-page-saver/" + "url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF", + "description": "Open-source mobile application security testing framework supporting automated analysis of APK and iOS app files for vulnerabilities.", + "status": "live", + "pricing": "free", + "bestFor": "Automated Android APK analysis, permission audit, malware detection", + "input": "APK or app files", + "output": "Security issues, permission risks, hardcoding vulnerabilities, malware signatures", + "opsec": "passive", + "opsecNote": "Static analysis tool; no runtime interaction with target device", + "localInstall": true, + "googleDork": false, + "registration": false, + "editUrl": false, + "api": true, + "invitationOnly": false, + "deprecated": false }, { - "name": "Snapper (T)", + "name": "JADX (T)", "type": "url", - "url": "https://github.com/dxa4481/Snapper" + "url": "https://github.com/skylot/jadx", + "description": "Open-source Dex to Java decompiler for Android APK reverse engineering and static inspection.", + "status": "live", + "pricing": "free", + "bestFor": "Android APK code inspection and reverse engineering", + "input": "APK or DEX files", + "output": "Decompiled Java source and resource mappings", + "opsec": "passive", + "opsecNote": "Local static analysis of app packages without target interaction.", + "localInstall": true, + "googleDork": false, + "registration": false, + "editUrl": false, + "api": false, + "invitationOnly": false, + "deprecated": false }, { - "name": "Full Page Screen Capture Chrome Extension (T)", + "name": "Apktool (T)", "type": "url", - "url": "https://github.com/mrcoles/full-page-screen-capture-chrome-extension" + "url": "https://github.com/iBotPeaches/Apktool", + "description": "Open-source tool for decoding and rebuilding Android APK resources and manifests.", + "status": "live", + "pricing": "free", + "bestFor": "Android manifest/resource analysis and repackaging workflows", + "input": "APK files", + "output": "Decoded resources, manifest files, and rebuild artifacts", + "opsec": "passive", + "opsecNote": "Offline local processing of APK files.", + "localInstall": true, + "googleDork": false, + "registration": false, + "editUrl": false, + "api": false, + "invitationOnly": false, + "deprecated": false }, { - "name": "EZR OSINT Sidebar (T)", + "name": "Objection (T)", "type": "url", - "url": "https://chromewebstore.google.com/detail/ezr-osint-sidebar/joagbbgciboooipadijeaoidjjigdmof" + "url": "https://github.com/sensepost/objection", + "description": "Open-source runtime mobile exploration toolkit built on Frida for iOS and Android app security testing.", + "status": "live", + "pricing": "free", + "bestFor": "Runtime mobile app security testing and instrumentation", + "input": "Running mobile app target and Frida server setup", + "output": "Runtime hooks, class/method inspection, and security test artifacts", + "opsec": "active", + "opsecNote": "Instrumentation activity may be detected by hardened mobile apps.", + "localInstall": true, + "googleDork": false, + "registration": false, + "editUrl": false, + "api": false, + "invitationOnly": false, + "deprecated": false } ] }, { - "name": "Screen Capture", + "name": "Device Tracking Detection", "type": "folder", "children": [ { - "name": "FRAPS (T)", - "type": "url", - "url": "https://fraps.com/" - }, - { - "name": "ShareX (T)", + "name": "STIX - Spike Tracker Interference X (T)", "type": "url", - "url": "https://getsharex.com/" + "url": "https://github.com/spikeforensics/stix", + "description": "Open-source tool to detect and document spyware tracking on Android devices through ADB analysis and system logging.", + "status": "live", + "pricing": "free", + "bestFor": "Spyware and tracking detection, forensic documentation", + "input": "Android device via ADB connection", + "output": "Detected trackers, spyware signatures, suspicious system processes", + "opsec": "passive", + "opsecNote": "Requires ADB access; local analysis only", + "localInstall": true, + "googleDork": false, + "registration": false, + "editUrl": false, + "api": false, + "invitationOnly": false, + "deprecated": false }, { - "name": "Greenshot (T)", + "name": "NetGuard - Network Monitor (T)", "type": "url", - "url": "https://getgreenshot.org/" + "url": "https://github.com/M66B/NetGuard", + "description": "Open-source Android app providing real-time network monitoring, app-level firewall, and data usage tracking with no root required.", + "status": "live", + "pricing": "free", + "bestFor": "Network activity monitoring, app connection tracking, hidden data exfiltration detection", + "input": "Install and configure on Android device", + "output": "Real-time network connections, app communication logs, data usage statistics", + "opsec": "passive", + "opsecNote": "Local device tool; monitors device's own network activity", + "localInstall": true, + "googleDork": false, + "registration": false, + "editUrl": false, + "api": false, + "invitationOnly": false, + "deprecated": false } ] + } + ] + }, + { + "name": "Tor Network Tools & Infrastructure", + "type": "folder", + "children": [ + { + "name": "Stem (T)", + "type": "python3 Module", + "url": "https://stem.torproject.org/", + "description": "Python library for interacting with Tor and controlling the Tor daemon programmatically.", + "status": "live", + "pricing": "free", + "bestFor": "Automated Tor control and network interaction workflows", + "input": "Tor daemon configuration", + "output": "Network status, circuit information, and Tor metrics", + "opsec": "passive", + "opsecNote": "Local library interaction; no external network probing inherently required.", + "localInstall": true, + "googleDork": false, + "registration": false, + "editUrl": false, + "api": false, + "invitationOnly": false, + "deprecated": false + }, + { + "name": "Nyx (T)", + "type": "python3 Module", + "url": "https://nyx.torproject.org/", + "description": "Command-line Tor network monitor providing real-time visibility into Tor connections and relay information.", + "status": "live", + "pricing": "free", + "bestFor": "Real-time Tor network monitoring and relay analysis", + "input": "Tor daemon connection", + "output": "Network statistics, bandwidth, circuits, and relay details", + "opsec": "passive", + "opsecNote": "Local monitoring tool connecting to own Tor instance.", + "localInstall": true, + "googleDork": false, + "registration": false, + "editUrl": false, + "api": false, + "invitationOnly": false, + "deprecated": false + }, + { + "name": "Metrics - The Tor Project (T)", + "type": "url", + "url": "https://metrics.torproject.org/", + "description": "Official Tor Project platform providing aggregate network statistics, relay data, and historical analysis.", + "status": "live", + "pricing": "free", + "bestFor": "Tor network-wide statistics and relay reputation research", + "input": "Relay fingerprints or network queries", + "output": "Network metrics, relay uptime, bandwidth distribution", + "opsec": "passive", + "opsecNote": "Aggregate statistics from official Tor infrastructure.", + "localInstall": false, + "googleDork": false, + "registration": false, + "editUrl": false, + "api": true, + "invitationOnly": false, + "deprecated": false + }, + { + "name": "Tails (T)", + "type": "url", + "url": "https://tails.boum.org/", + "description": "Live operating system focused on privacy with Tor integration and amnesic design for ephemeral sessions.", + "status": "live", + "pricing": "free", + "bestFor": "Anonymized dark web investigations and privacy-hardened operations", + "input": "System boot and configuration", + "output": "Isolated Tor-enabled environment with no persistent state", + "opsec": "passive", + "opsecNote": "Designed to minimize forensic traces and log persistent data.", + "localInstall": true, + "googleDork": false, + "registration": false, + "editUrl": false, + "api": false, + "invitationOnly": false, + "deprecated": false + }, + { + "name": "Whonix (T)", + "type": "url", + "url": "https://www.whonix.org/", + "description": "Hardened virtual machine operating system with Tor routing and isolation architecture for anonymous computing.", + "status": "live", + "pricing": "free", + "bestFor": "Hardware-isolated anonymous computing and network segregation", + "input": "Virtual machine deployment", + "output": "Tor-routed computing environment with hardware isolation", + "opsec": "passive", + "opsecNote": "Gateway/workstation isolation model prevents IP leaks and network correlation.", + "localInstall": true, + "googleDork": false, + "registration": false, + "editUrl": false, + "api": false, + "invitationOnly": false, + "deprecated": false + }, + { + "name": "Proxychains (T)", + "type": "python3 Module", + "url": "https://github.com/haad/proxychains", + "description": "Tool for forcing applications through proxy chains including Tor for application-level anonymization.", + "status": "live", + "pricing": "free", + "bestFor": "Application-level proxy routing through Tor for legacy software", + "input": "Application binaries and proxy configuration", + "output": "Proxied application traffic routed through Tor chain", + "opsec": "active", + "opsecNote": "Proxychaining can be detected by destination services if DNS/application layer leaks occur.", + "localInstall": true, + "googleDork": false, + "registration": false, + "editUrl": false, + "api": false, + "invitationOnly": false, + "deprecated": false + }, + { + "name": "Obfs4 Bridges (T)", + "type": "url", + "url": "https://bridges.torproject.org/", + "description": "Tor Bridge with obfuscation to bypass censorship and evade deep packet inspection analysis.", + "status": "live", + "pricing": "free", + "bestFor": "Accessing Tor in censored regions and evading network-level blocking", + "input": "Bridge distribution requests", + "output": "Obfuscated bridge addresses and connection configurations", + "opsec": "passive", + "opsecNote": "Bridge access requests go through the official Tor distribution system.", + "localInstall": true, + "googleDork": false, + "registration": false, + "editUrl": false, + "api": false, + "invitationOnly": false, + "deprecated": false + }, + { + "name": "Snowflake (T)", + "type": "url", + "url": "https://snowflake.torproject.org/", + "description": "Proxy-based circumvention tool using volunteer browser peers to access Tor in heavily censored areas.", + "status": "live", + "pricing": "free", + "bestFor": "Emergency access to Tor through decentralized peer proxies in extreme censorship", + "input": "Tor client configuration", + "output": "Volunteer-based network access through Snowflake proxies", + "opsec": "passive", + "opsecNote": "Decentralized system reduces single point of failure but adds transport overhead.", + "localInstall": true, + "googleDork": false, + "registration": false, + "editUrl": false, + "api": false, + "invitationOnly": false, + "deprecated": false + }, + { + "name": "OnionSearch (T)", + "type": "url", + "url": "https://github.com/megadose/OnionSearch", + "description": "Open-source CLI for searching onion services through multiple dark web search engines.", + "status": "live", + "pricing": "free", + "bestFor": "Onion discovery from multiple indexed sources", + "input": "Keywords and optional search engine selectors", + "output": "Aggregated onion search results and source references", + "opsec": "active", + "opsecNote": "Automated querying against third-party indexes can be rate-limited or logged.", + "localInstall": true, + "googleDork": false, + "registration": false, + "editUrl": false, + "api": false, + "invitationOnly": false, + "deprecated": false + }, + { + "name": "Onionshare (T)", + "type": "url", + "url": "https://github.com/onionshare/onionshare", + "description": "Open-source tool for anonymously sharing files and hosting basic services over the Tor network.", + "status": "live", + "pricing": "free", + "bestFor": "Secure Tor-based file sharing and temporary service hosting", + "input": "Files or hosted content configuration", + "output": "Tor onion addresses and transfer/session activity", + "opsec": "passive", + "opsecNote": "Designed for privacy-preserving sharing through Tor hidden services.", + "localInstall": true, + "googleDork": false, + "registration": false, + "editUrl": false, + "api": false, + "invitationOnly": false, + "deprecated": false + } + ] + }, + { + "name": "Hidden Service Analysis & Fingerprinting", + "type": "folder", + "children": [ + { + "name": "TorCensus (T)", + "type": "url", + "url": "https://github.com/jkbnt/TorCensus", + "description": "Automated census tool for discovering and categorizing hidden services on the Tor network.", + "status": "live", + "pricing": "free", + "bestFor": "Large-scale hidden service discovery and classification", + "input": "Tor network configuration", + "output": "Categorized hidden service inventory and metadata", + "opsec": "active", + "opsecNote": "Automated probing of hidden services generates high signal and can trigger detection systems.", + "localInstall": true, + "googleDork": false, + "registration": false, + "editUrl": false, + "api": false, + "invitationOnly": false, + "deprecated": false + }, + { + "name": "WBOT Web Crawler (T)", + "type": "url", + "url": "https://github.com/SkAzoic/WBOT-web-crawler", + "description": "Python web crawler for indexing and analyzing onion service content with link extraction.", + "status": "live", + "pricing": "free", + "bestFor": "Automated onion content crawling and repository building", + "input": "Onion URLs and crawl configuration", + "output": "Indexed content, extracted links, and metadata", + "opsec": "active", + "opsecNote": "Web crawling generates multiple requests to target services and can be flagged.", + "localInstall": true, + "googleDork": false, + "registration": false, + "editUrl": false, + "api": false, + "invitationOnly": false, + "deprecated": false + }, + { + "name": "Onionchef (T)", + "type": "url", + "url": "https://github.com/r-o-b-o-t/onionchef", + "description": "Forensic analysis tool for examining hidden service configuration and identifying operational patterns.", + "status": "live", + "pricing": "free", + "bestFor": "Hidden service infrastructure analysis and adversary profiling", + "input": ".onion service targets", + "output": "Configuration patterns, infrastructure indicators, and correlation data", + "opsec": "active", + "opsecNote": "Forensic analysis requires probing target services and may trigger alerting.", + "localInstall": true, + "googleDork": false, + "registration": false, + "editUrl": false, + "api": false, + "invitationOnly": false, + "deprecated": false }, { - "name": "Map Locations", - "type": "folder", - "children": [ - { - "name": "Google Street View - Hyperlapse", - "type": "url", - "url": "https://github.com/TeehanLax/Hyperlapse.js" - }, - { - "name": "ZeeMaps", - "type": "url", - "url": "https://www.zeemaps.com/" - } - ] + "name": "ScrapeDNS (T)", + "type": "url", + "url": "https://github.com/screetsec/TheStagingServer", + "description": "DNS reconnaissance and hidden service enumeration tool for mapping Tor infrastructure.", + "status": "live", + "pricing": "free", + "bestFor": "DNS-based hidden service enumeration and correlation", + "input": "DNS query patterns and network configuration", + "output": "DNS results, service mappings, and infrastructure correlations", + "opsec": "active", + "opsecNote": "DNS-based enumeration may leak queries to exit nodes or resolvers.", + "localInstall": true, + "googleDork": false, + "registration": false, + "editUrl": false, + "api": false, + "invitationOnly": false, + "deprecated": false }, { - "name": "Timeline JS3", + "name": "Shodan Search (T)", "type": "url", - "url": "https://timeline.knightlab.com/" + "url": "https://www.shodan.io/", + "description": "Internet-scale search engine that can map .onion IP infrastructure and exposed services.", + "status": "live", + "pricing": "freemium", + "bestFor": "Mapping IP-to-onion correlations and identifying exposed hidden service infrastructure", + "input": "Onion IP addresses or related infrastructure identifiers", + "output": "Service banners, port information, and hosting correlation data", + "opsec": "passive", + "opsecNote": "Query-based search; can reveal infrastructure but doesn't probe directly.", + "localInstall": false, + "googleDork": false, + "registration": true, + "editUrl": false, + "api": true, + "invitationOnly": false, + "deprecated": false } ] }, { - "name": "Training", + "name": "Leak Database & Breach Analysis", "type": "folder", "children": [ { - "name": "Games", - "type": "folder", - "children": [ - { - "name": "GeoGuesser", - "type": "url", - "url": "https://www.geoguessr.com/", - "description": "Geography game for geolocation OSINT training; users observe visual clues in Street View panoramas to guess locations worldwide.", - "status": "live", - "pricing": "freemium", - "bestFor": "Geolocation skills, visual intelligence analysis, landmark identification", - "input": "Street View imagery, map interface", - "output": "Accuracy score, location guess feedback, player rankings", - "opsec": "passive", - "opsecNote": "No active reconnaissance; purely observational gameplay using public imagery.", - "localInstall": false, - "googleDork": false, - "registration": true, - "editUrl": false, - "api": true, - "invitationOnly": false, - "deprecated": false - }, - { - "name": "Verif!cation Quiz Bot", - "type": "url", - "url": "https://x.com/quiztime", - "description": "Daily OSINT verification challenges posted on X (Twitter), using a community-driven quiz format for image geolocation and source verification.", - "status": "live", - "pricing": "free", - "bestFor": "Community OSINT challenges, image verification techniques, collaborative research", - "input": "Shared images and verification questions from quizmasters", - "output": "Community discussion threads, solution walkthroughs, and learning outcomes", - "opsec": "passive", - "opsecNote": "No active probing; public community engagement via social replies.", - "localInstall": false, - "googleDork": false, - "registration": true, - "editUrl": false, - "api": false, - "invitationOnly": false, - "deprecated": false - } - ] + "name": "Pwndb (T)", + "type": "url", + "url": "https://www.pwndb.com/", + "description": "Dark web searchable database of leaked credentials and breached account information.", + "status": "live", + "pricing": "free", + "bestFor": "Searching for compromised credentials and account breach verification", + "input": "Email, username, or hash", + "output": "Associated credentials, breach context, and compromise timeline", + "opsec": "passive", + "opsecNote": "Query-based searches through aggregated breach databases.", + "localInstall": false, + "googleDork": false, + "registration": false, + "editUrl": false, + "api": true, + "invitationOnly": false, + "deprecated": false }, { - "name": "Forensic OSINT KB Guides", + "name": "LOLBas - Living Off the Land Binaries (T)", "type": "url", - "url": "https://www.forensicosint.com/osint-guide", - "description": "Knowledge base of digital forensics guides for evidence capture and court-admissible documentation, including web capture and metadata analysis.", + "url": "https://lolbas-project.github.io/", + "description": "Catalog of legitimate Windows/Linux binaries abused for malicious purposes in breach scenarios.", "status": "live", - "pricing": "freemium", - "bestFor": "Digital evidence preservation, chain-of-custody documentation, court-ready OSINT reporting", - "input": "Target URLs or digital media requiring forensic capture", - "output": "Timestamped artifacts, metadata analysis guidance, preserved evidence workflows", + "pricing": "free", + "bestFor": "Forensic analysis of compromised systems and attack techniques from breaches", + "input": "System binaries and execution logs", + "output": "Attack vector identification and forensic correlation", "opsec": "passive", - "opsecNote": "Evidence collection focus; requires proper methodology for investigative and legal contexts.", + "opsecNote": "Reference-only resource for forensic analysis.", "localInstall": false, "googleDork": false, - "registration": true, + "registration": false, "editUrl": false, - "api": false, + "api": true, "invitationOnly": false, "deprecated": false }, { - "name": "Open Source Intelligence Techniques", + "name": "Breached Database Archive (T)", "type": "url", - "url": "https://inteltechniques.com/", - "description": "Professional OSINT training and certification by IntelTechniques with extensive video modules, documentation, and practical investigative exercises.", + "url": "https://breacheddatabase.com/", + "description": "Aggregated archive of publicly disclosed breaches with full database dumps and analysis.", "status": "live", - "pricing": "paid", - "bestFor": "Professional OSINT certification, structured curriculum, advanced investigative techniques", - "input": "Student participation in course modules, notes, and guided practical exercises", - "output": "Course completion, certification-track readiness, and advanced OSINT methodology", + "pricing": "free", + "bestFor": "Access to comprehensive breached dataset collections for research", + "input": "Search terms, emails, or usernames", + "output": "Breached records, credentials, and associated metadata", "opsec": "passive", - "opsecNote": "Instructor-led educational platform focused on passive investigative methodology.", + "opsecNote": "Query-based archive search without direct target contact.", "localInstall": false, "googleDork": false, - "registration": true, + "registration": false, "editUrl": false, - "api": false, + "api": true, "invitationOnly": false, "deprecated": false }, { - "name": "Plessas", + "name": "Hashes.org (T)", "type": "url", - "url": "https://plessas.net/online-training", - "description": "Expert-led OSINT training courses by Plessas Experts Network, from fundamentals to intensive hands-on investigation programs.", + "url": "https://hashes.org/", + "description": "Collaborative hash reverse lookup database populated by distributed hashing projects.", "status": "live", - "pricing": "paid", - "bestFor": "Professional investigative training, corporate intelligence, legal and compliance investigations", - "input": "Structured coursework, practical OSINT exercises, and instructor interaction", - "output": "Course completion outcomes, investigative skill development, and training credentials", + "pricing": "free", + "bestFor": "Reverse hash lookup from leaked password hashes and security research", + "input": "MD5, SHA1, SHA256 hashes", + "output": "Plaintext recovery and associated compromise context", "opsec": "passive", - "opsecNote": "Educational environment centered on passive research techniques.", + "opsecNote": "Query-based hash lookup through crowdsourced databases.", "localInstall": false, "googleDork": false, - "registration": true, + "registration": false, "editUrl": false, - "api": false, + "api": true, "invitationOnly": false, "deprecated": false }, { - "name": "The OSINTion", + "name": "Have I Been Pwned (T)", "type": "url", - "url": "https://www.theosintion.com/courses", - "description": "Affordable OSINT training courses by Joe Gray, including people OSINT, business investigations, and blockchain-focused instruction.", + "url": "https://haveibeenpwned.com/", + "description": "Searchable database of publicly disclosed breaches with direct notification and notification API.", "status": "live", - "pricing": "paid", - "bestFor": "Accessible OSINT courses, CTF-style learning, people and business intelligence workflows", - "input": "Live or remote class participation, practical exercises, and case-study analysis", - "output": "Completed coursework, practical investigative techniques, and reusable OSINT workflows", + "pricing": "free", + "bestFor": "Quick breach notification and account compromise verification", + "input": "Email address or password", + "output": "Breach history, exposed fields, and compromise dates", "opsec": "passive", - "opsecNote": "Training-focused environment without active network probing requirements.", + "opsecNote": "Query sent to central database; searches are HTTPS-protected but logged.", + "localInstall": false, + "googleDork": false, + "registration": false, + "editUrl": false, + "api": true, + "invitationOnly": false, + "deprecated": false + }, + { + "name": "Dehashed (T)", + "type": "url", + "url": "https://dehashed.com/", + "description": "Hash cracking and leak database search platform for compromised credential verification.", + "status": "live", + "pricing": "freemium", + "bestFor": "Hash cracking and comprehensive credential leak searching", + "input": "Hashes, emails, usernames, or passwords", + "output": "Hash cracking results and associated breach records", + "opsec": "passive", + "opsecNote": "User accounts required for premium features; queries are logged by provider.", "localInstall": false, "googleDork": false, "registration": true, "editUrl": false, + "api": true, + "invitationOnly": false, + "deprecated": false + } + ] + }, + { + "name": "Metadata Extraction & Forensics", + "type": "folder", + "children": [ + { + "name": "ExifTool (T)", + "type": "python3 Module", + "url": "https://github.com/exiftool/exiftool", + "description": "Comprehensive metadata extraction and modification tool for images, videos, and documents.", + "status": "live", + "pricing": "free", + "bestFor": "EXIF and metadata extraction from leaked media and dark web content", + "input": "Image, video, or document files", + "output": "Extracted metadata including location, device info, and timestamps", + "opsec": "passive", + "opsecNote": "Local file analysis with no external connectivity.", + "localInstall": true, + "googleDork": false, + "registration": false, + "editUrl": false, "api": false, "invitationOnly": false, "deprecated": false }, { - "name": "Smart Questions", + "name": "GeoIP2 with Offline Database (T)", + "type": "python3 Module", + "url": "https://github.com/maxmind/geoip2-python", + "description": "Offline IP geolocation database queries with MaxMind GeoIP2 for infrastructure mapping.", + "status": "live", + "pricing": "free", + "bestFor": "IP-to-location correlation for infrastructure and server identification", + "input": "IP addresses", + "output": "Geographic location, ASN, ISP, and organization data", + "opsec": "passive", + "opsecNote": "Offline database queries with no external network dependency.", + "localInstall": true, + "googleDork": false, + "registration": false, + "editUrl": false, + "api": false, + "invitationOnly": false, + "deprecated": false + }, + { + "name": "Microfish (T)", + "type": "python3 Module", + "url": "https://github.com/SkAzoic/microfish", + "description": "Microfish analyzer for detecting malicious payloads and embedded code signatures in dark web documents.", + "status": "live", + "pricing": "free", + "bestFor": "Malware detection and embedded code analysis in suspicious dark web documents", + "input": "Document files and binary payloads", + "output": "Detected malware signatures, embedded code indicators, and threat classification", + "opsec": "passive", + "opsecNote": "Local static analysis without execution or external connectivity.", + "localInstall": true, + "googleDork": false, + "registration": false, + "editUrl": false, + "api": false, + "invitationOnly": false, + "deprecated": false + }, + { + "name": "Stripper (T)", "type": "url", - "url": "https://www.catb.org/esr/faqs/smart-questions.html", - "description": "Foundational guide by Eric S. Raymond on asking effective technical questions in open-source and technical communities.", + "url": "https://github.com/SkAzoic/Stripper", + "description": "Metadata sanitization tool for removing sensitive metadata from documents before transmission.", "status": "live", "pricing": "free", - "bestFor": "Research methodology, effective questioning, and stronger information-seeking habits", - "input": "Reader engagement with essay guidelines and practical examples", - "output": "Improved question framing, clearer research requests, and better community responses", + "bestFor": "OPSEC preservation by stripping metadata from leaked/analyzed documents", + "input": "Documents with embedded metadata", + "output": "Sanitized documents with metadata removed", + "opsec": "active", + "opsecNote": "Used for operational security in document handling workflows.", + "localInstall": true, + "googleDork": false, + "registration": false, + "editUrl": false, + "api": false, + "invitationOnly": false, + "deprecated": false + }, + { + "name": "Volatility (T)", + "type": "python3 Module", + "url": "https://github.com/volatilityfoundation/volatility3", + "description": "Advanced memory forensics framework for analyzing volatile memory and system artifacts from compromised systems.", + "status": "live", + "pricing": "free", + "bestFor": "Memory forensics and malware analysis from breach investigations", + "input": "Memory dumps and system images", + "output": "Process information, network connections, and malware indicators", "opsec": "passive", - "opsecNote": "Pure methodology reference; no target interaction or probing.", - "localInstall": false, + "opsecNote": "Offline analysis of captured memory dumps.", + "localInstall": true, + "googleDork": false, + "registration": false, + "editUrl": false, + "api": false, + "invitationOnly": false, + "deprecated": false + }, + { + "name": "Strings (T)", + "type": "python3 Module", + "url": "https://github.com/Shoresh/Strings-Extract", + "description": "String extraction tool for analyzing binary files and detecting embedded text artifacts in malware.", + "status": "live", + "pricing": "free", + "bestFor": "Binary content analysis and malware string extraction", + "input": "Binary files and executables", + "output": "Extracted readable strings and embedded text patterns", + "opsec": "passive", + "opsecNote": "Local binary analysis tool with no external dependency.", + "localInstall": true, + "googleDork": false, + "registration": false, + "editUrl": false, + "api": false, + "invitationOnly": false, + "deprecated": false + }, + { + "name": "PDF Metadata Extractor (T)", + "type": "python3 Module", + "url": "https://github.com/adamkrk/pdf_metadata_extractor", + "description": "Specialized tool for extracting and analyzing metadata from PDF files including creation/modification dates.", + "status": "live", + "pricing": "free", + "bestFor": "PDF forensics and document attribution through metadata analysis", + "input": "PDF files", + "output": "PDF metadata including author, creation date, software, and edit history", + "opsec": "passive", + "opsecNote": "Local PDF analysis without external connectivity.", + "localInstall": true, "googleDork": false, "registration": false, "editUrl": false,