Appendix C: Defensive Tool Reference
Tools do not make you secure — process, architecture, and people do (Theme 1). But a defender who cannot name the right tool for a job wastes hours building by hand what a free, mature project already does well. This appendix is a categorized field reference to the open-source and freely available tools a blue team actually reaches for, organized by the function they serve and mapped to the chapter that teaches the concept behind them. It is deliberately biased toward open-source: not because commercial tools are inferior — several are excellent — but because the open tools are the ones a student can install in a lab tonight, and because understanding the open version teaches you what the commercial dashboard is doing underneath.
Every tool here is a defensive tool: it analyzes, audits, monitors, hardens, or investigates. We do not catalog offensive tooling — exploitation frameworks, credential-dumpers, C2 servers — because this is the defender's volume. A handful of tools below (nmap, the vulnerability scanners, the secrets scanners) are dual-use: the same scanner that an attacker runs to find your weaknesses is the one you run to find them first. For those, treat the Authorization column as load-bearing, not decorative.
⚖️ Authorization & Ethics: Scanning, probing, and credential-searching are defensive only when the target is yours or you have explicit written authorization to test it (a signed scope, a penetration-test agreement, a bug-bounty program's rules). Pointing any scanner — port, vulnerability, web, or secrets — at a system you do not own or are not authorized to test is, in most jurisdictions, a crime, regardless of your intent. Inventory your network. Scan your code. Audit your cloud account. The tooling is identical; the authorization is what separates a defender from an intruder.
A note on versions: this reference deliberately does not pin version numbers, because they change faster than print and the wrong number is worse than none. Install the current release from the project's official source, and verify download integrity (checksums or signatures) before running anything — a supply-chain lesson from Chapters 29 and 31 that applies to your own toolkit too.
C.1 Network analysis and visibility
The defender's first question in almost any investigation is what is actually on the wire, and what is talking to what? These tools answer it. They map to the network-security spine of Part II — fundamentals and monitoring (Chapters 6 and 10), the firewall/IDS/IPS layer (Chapter 7), and DNS/email/web defenses (Chapter 9).
| Tool | One-line purpose | Chapter | Authorization note |
|---|---|---|---|
| Wireshark | Deep packet capture and protocol analysis — inspect individual packets and reconstruct sessions for investigation and learning. | 6, 10 | Capture only on networks you own/administer; payloads may contain others' sensitive data — handle accordingly. |
| tcpdump | Lightweight command-line packet capture and filtering on a host or sensor, scriptable for headless/remote use. | 6, 10 | Same as Wireshark; capturing requires elevated privilege you should only hold on your own systems. |
| Zeek (formerly Bro) | Network-security monitor that turns raw traffic into rich, structured connection/protocol logs (conn, dns, http, ssl, files) — the analyst's network "metadata." | 10, 21 | Deploy as a passive sensor on a span/tap inside your own network. |
| Suricata | High-performance IDS/IPS and network-security monitor; runs signature rules (ET/Snort-format) and produces protocol logs and alerts. | 7, 10, 22 | Tune and deploy on your own perimeter/segment; IPS mode can block legitimate traffic if mis-tuned. |
| Snort | The long-standing signature-based IDS/IPS; the rule format much of the industry still speaks. | 7 | As Suricata. |
| Arkime (formerly Moloch) | Full-packet-capture indexing and retrieval at scale — search and pivot through historical captured sessions during an investigation. | 10, 25 | Full-PCAP retention has privacy and legal implications; scope and access-control it deliberately. |
| nmap | Network and port discovery and service/version fingerprinting — for a defender, asset inventory and attack-surface verification ("what is exposed that should not be?"). | 6, 7 | Authorized scanning only. Run against your own ranges to inventory and validate firewall rules; never against third parties. |
| NetworkMiner | Passive network-forensic tool that extracts files, credentials, and host details from a capture for analysis. | 10, 25 | Analyze captures you lawfully collected. |
Wireshark and tcpdump are for packet-level questions; Zeek is for connection-level questions at scale (you do not grep terabytes of PCAP — you query Zeek's logs). Suricata/Snort add known-bad detection on top of that traffic. The pattern from Chapter 10 holds: full packet capture is the ground truth but is expensive to keep; network metadata (Zeek logs, flow records) is the affordable, query-friendly layer you actually live in day to day.
🔗 Connection:
nmapis the canonical dual-use tool. The penetration tester in the offensive companion volume uses it to find a way in; you (Chapters 6–7) use it to discover the host nobody documented and to verify that your default-deny firewall actually denies — scanning your own perimeter from outside and confirming only the intended ports answer. Same tool, opposite chair, and the authorization is the difference.
C.2 SIEM, log management, and analytics
Logs are the ground truth (a conviction threaded from Chapter 1). A Security Information and Event Management (SIEM) platform centralizes, normalizes, correlates, and alerts on them. These tools build the SOC's nervous system of Chapter 21 and feed the detection and hunting of Chapter 22. They are described here neutrally — choice depends on scale, budget, and existing stack, not on any ranking.
| Tool | One-line purpose | Chapter | Note |
|---|---|---|---|
| Elastic Stack (ELK: Elasticsearch, Logstash, Kibana) | Open search-and-analytics stack widely used to ingest, store, search, and visualize logs; a common open-source SIEM foundation. | 21, 22 | Free/open tier is capable; some security features sit in paid tiers — confirm current licensing for your use. |
| Wazuh | Open-source security platform combining host-based intrusion detection (HIDS), log analysis, file-integrity monitoring, and built-in SIEM/XDR features; ships with rules and dashboards. | 11, 21, 22 | Agents run on your hosts; an accessible "batteries-included" open SIEM for labs and small teams. |
| Splunk | Widely deployed commercial log-analytics and SIEM platform (SPL query language); a free tier exists with volume limits. | 21 | Commercial; named because its SPL and data model are an industry lingua franca worth recognizing. |
| Microsoft Sentinel | Cloud-native SIEM/SOAR on Azure (KQL query language), tightly integrated with M365/Entra telemetry. | 21, 15 | Commercial, consumption-priced; relevant to Meridian's hybrid M365/Entra footprint. |
| Graylog | Open-source-core log management and SIEM with alerting, dashboards, and pipelines; an alternative to the Elastic stack. | 21 | Open core with commercial add-ons. |
| OpenSearch | Community fork of Elasticsearch/Kibana under a permissive license — search, analytics, and dashboards for log data. | 21 | Fully open-source; a licensing-driven alternative to Elastic. |
| Vector / Fluent Bit | High-performance log/metric collection, parsing, and routing — the "plumbing" that ships telemetry into whatever SIEM you run. | 21 | Open-source pipelines; pair with any of the above. |
The right way to read this table is not "which SIEM is best?" but "which centralization and query layer fits my data volume and team?" The skills transfer: the normalization, correlation-rule, and alert-tuning concepts of Chapter 21 are the same whether the query language is SPL, KQL, Lucene/EQL, or SQL. Learn the concept (Chapter 21's normalize/correlate logic), and you can drive any of these.
⚠️ Common Pitfall: Buying or deploying a SIEM and treating the dashboard as the work. An unwatched SIEM with no tuned detections and no analyst to act on alerts is the failure mode called out in Chapters 1, 15, and 21 — technology with no process and no people. The tool in C.2 is the substrate for detection-as-code (C.10); it is not detection by itself.
C.3 Endpoint and EDR telemetry
The host is where a foothold becomes a disaster, and where the richest investigative telemetry lives (Chapter 11's EDR-versus-antivirus argument). These open tools generate or query that telemetry — they are the sensors that feed Sections C.2 and C.10.
| Tool | One-line purpose | Chapter | Note |
|---|---|---|---|
| Sysmon (Sysinternals) | Free Windows system monitor that logs process creation with command lines and hashes, network connections, image loads, and more — the single highest-value free Windows telemetry source. | 11, 22 | Deploy fleet-wide via Group Policy with a tuned config; feed events to your SIEM. |
| osquery | Exposes the operating system (Windows/Linux/macOS) as a SQL-queryable database — inventory, running processes, listening ports, installed software, and drift, all via SQL. | 11, 23 | Read-only by design; superb for live inventory, baseline auditing, and incident triage at scale. |
| Wazuh agent | Host agent providing HIDS, log collection, file-integrity monitoring, and rootcheck — open-source endpoint visibility tied to the Wazuh server (C.2). | 11, 21 | See Wazuh in C.2. |
| Auditd | The Linux kernel auditing subsystem — records system calls, file access, and command execution for forensic-grade host logging. | 11, 25 | Native to Linux; tune rules to avoid log volume overwhelming value. |
| Velociraptor | Open-source endpoint visibility and digital-forensics/IR platform — hunt across thousands of endpoints with a query language, collect artifacts, and triage live. | 22, 24, 25 | Read/collect-oriented; bridges endpoint hunting (Ch. 22) and forensics (Ch. 25). |
| Open EDR / Wazuh XDR | Open-source endpoint detection-and-response options providing behavioral telemetry and response actions without commercial licensing. | 11, 22 | Capabilities vary by project; evaluate maturity before relying on response actions. |
The crucial pairing from Chapter 11 recurs here: you constrain what the host permits (hardening — Section C.6) and you record what happens anyway (Sysmon, osquery, auditd, EDR). The second category is what a SOC analyst lives in during an investigation; the Sysmon-plus-SIEM combination is the most common free starting point for Windows behavioral detection.
C.4 Vulnerability scanning
The most reliably exploited vulnerabilities are known flaws with patches available that nobody deployed yet (Chapter 11's patch-management argument; Chapter 23's prioritization). These scanners find them so you can fix them in priority order — for authorized assets only.
| Tool | One-line purpose | Chapter | Authorization note |
|---|---|---|---|
| OpenVAS / Greenbone | Open-source network vulnerability scanner — probes hosts and services against a large, updated feed of vulnerability tests and reports findings with severity. | 23 | Authorized scanning only. Active scanning can disrupt fragile services (Chapter 33's OT warning); scope and schedule it. |
| Trivy | Fast, open-source scanner for container images, filesystems, and IaC — finds vulnerable OS packages and application dependencies, plus misconfigurations and secrets. | 23, 29, 31 | Run in your own pipeline against your own artifacts. |
| Grype | Open-source vulnerability scanner for container images and filesystems, pairing with the Syft SBOM generator. | 23, 29 | As Trivy. |
| Nuclei | Fast, template-driven scanner that checks targets against a community library of known-vulnerability and misconfiguration signatures. | 23 | Authorized targets only — templates probe real CVEs; use against assets you own or are scoped to test. |
| Nikto | Open-source web-server scanner for known dangerous files, outdated components, and common misconfigurations. | 13, 23 | Authorized web targets only; noisy and easily logged — by design, since you are scanning your own. |
| Lynis | Host-based security-auditing tool for Linux/Unix/macOS — assesses hardening, configuration, and compliance from on the system. | 11, 23 | Run locally on your own hosts; read-only auditing. |
Note the two families. Network/remote scanners (OpenVAS, Nuclei, Nikto) probe from the outside and require authorization because they actively touch a target. Local/artifact scanners (Trivy, Grype, Lynis) inspect your own images, filesystems, and hosts and are safe to run constantly in your own pipeline. The Chapter 23 lesson — prioritize by CVSS and real-world exploitation (KEV) and exploit-prediction (EPSS) and asset context, not by raw count — applies to the output of all of them: a scanner that produces 4,000 findings nobody triages is the SIEM pitfall in another form.
🔗 Connection: The Log4Shell pattern (CVE-2021-44228) from Chapters 12, 23, and 29 is exactly what Trivy and Grype exist to catch before it becomes your 3 a.m. emergency — a vulnerable dependency buried deep in a build, found by scanning the image and the SBOM rather than waiting for the exploit traffic to find you.
C.5 Cloud security posture
In the cloud, most breaches are self-inflicted misconfigurations of the layers you control — public storage and over-broad IAM (Chapter 15). These tools audit your own cloud accounts against secure baselines, implementing Cloud Security Posture Management (CSPM) for the always-yours configuration layers.
| Tool | One-line purpose | Chapter | Authorization note |
|---|---|---|---|
| Prowler | Open-source security-assessment and CSPM tool for AWS, Azure, GCP, and more — runs hundreds of checks mapped to CIS, PCI-DSS, and other frameworks. | 15 | Run with read-only credentials against accounts you own/administer. |
| ScoutSuite | Open-source multi-cloud auditing tool that collects configuration via the provider APIs and reports risky settings in an offline HTML report. | 15 | Read-only collection against your own cloud accounts. |
| CloudSploit | Open-source cloud-configuration scanner for misconfigurations and compliance gaps across major providers. | 15 | As above. |
| AWS Security Hub / Azure Defender for Cloud / GCP Security Command Center | Native, provider-built CSPM that continuously scores your account against benchmarks and aggregates findings. | 15 | Commercial/native; the provider's own posture service for its platform. |
| Open Policy Agent (OPA) / Conftest | Policy-as-code engine to evaluate infrastructure-as-code and configurations against rules before they are applied — the preventive guardrail of Chapter 15. | 15, 31 | Runs in your own pipeline; preventive, not just detective. |
| Checkov / tfsec / KICS | Open-source static analysis for Terraform/CloudFormation/Kubernetes manifests — catch the public bucket or 0.0.0.0/0 rule in code review. |
15, 31 | Your own IaC, in your own CI. |
The Chapter 15 hierarchy is the way to use these: prevent with guardrails (OPA, Checkov, tfsec — catch it in the IaC before it exists), detect with CSPM (Prowler, ScoutSuite, native — catch what slipped through), and protect the running workload with CWPP (the runtime/vulnerability tooling of C.3/C.4 adapted to cloud). All of them are read-only or pipeline-side and run against your accounts — there is no authorization ambiguity when you are auditing infrastructure you own.
C.6 Hardening and configuration auditing
Hardening is attack-surface reduction against a benchmark (Chapter 11). These tools either apply a hardened baseline or audit a system against one — the "is this running system actually compliant?" question that bluekit's audit_baseline (Chapter 11) models in miniature.
| Tool | One-line purpose | Chapter | Note |
|---|---|---|---|
| CIS-CAT (Center for Internet Security) | Assesses a system against the official CIS Benchmarks and reports a conformance score per control. | 11, 15 | CIS membership/licensing applies for the full tool; the Benchmarks themselves are the authoritative source (see Appendix F). |
| OpenSCAP / SCAP Security Guide | Open-source implementation of the SCAP standard — audits and remediates Linux systems against profiles including STIG and CIS-aligned baselines. | 11 | Open-source; the standard government/enterprise Linux hardening auditor. |
| Lynis | Host-based hardening and compliance audit for Unix-like systems (also in C.4). | 11 | Read-only; quick to run on any Linux/macOS host. |
| Microsoft Security Compliance Toolkit / LGPO | Microsoft's official security-baseline GPOs and tooling to apply and audit Windows hardening at scale. | 11 | Vendor baseline; pairs with Group Policy. |
| DISA STIG Viewer / Evaluate-STIG | View and assess systems against U.S. DISA Security Technical Implementation Guides. | 11 | Government baseline; STIGs play the CIS role for federal systems. |
| osquery | SQL-queryable live configuration — audit hardening state and detect drift across the fleet (also in C.3). | 11, 23 | Read-only; excellent for fleet-wide baseline drift detection. |
The discipline behind every tool here (Chapter 11): adopt the benchmark, test it against real workloads before enforcing, document every deliberate deviation, then enforce and audit. A standard nobody verifies is a standard nobody follows — these are the verification half.
C.7 Incident response and digital forensics
When prevention fails (it will — Theme 4), these tools preserve evidence and reconstruct what happened, implementing the forensic discipline of Chapter 25 and supporting the response lifecycle of Chapter 24. Order-of-volatility and chain-of-custody (Chapter 25) govern how you use them.
| Tool | One-line purpose | Chapter | Note |
|---|---|---|---|
| Volatility (2 & 3) | The standard open-source memory-forensics framework — extract processes, network connections, injected code, and artifacts from a RAM capture. | 24, 25 | Analyze memory you lawfully acquired; capture before powering off (order of volatility). |
| Autopsy / The Sleuth Kit | Open-source disk-forensics platform — examine filesystems, recover deleted files, build timelines, and analyze a disk image through a GUI (Autopsy) or CLI (TSK). | 25 | Work on a forensic image, never the original evidence drive. |
| KAPE (Kroll Artifact Parser and Extractor) | Fast targeted collection and parsing of high-value forensic artifacts from a live or imaged Windows system. | 24, 25 | Free for defensive use; ideal for rapid triage collection. |
| Plaso / log2timeline | Builds a super-timeline by extracting timestamps from dozens of artifact types into one chronological record — the backbone of timeline reconstruction. | 25 | Pairs with Timesketch for review; the timeline is the forensic narrative. |
| Timesketch | Open-source collaborative timeline analysis — review, annotate, and pivot through Plaso super-timelines with a team. | 25 | Collaborative analysis of timelines you built. |
| Velociraptor | Endpoint hunting and remote forensic collection at scale (also in C.3). | 24, 25 | Collect/triage across the fleet during an incident. |
| dd / dc3dd / Guymager / FTK Imager | Forensically sound disk and image acquisition — bit-for-bit copies with hashing for integrity. | 25 | Acquire to a verified image; record hashes for chain of custody. |
| YARA | Pattern-matching engine to scan files/memory/disk for indicators of known malware or attacker tooling (also in C.10). | 22, 24, 25 | Hunt for IoCs across collected evidence. |
The Chapter 24/25 partnership shows here: incident response (Chapter 24) stops the bleeding — isolate, disable, block — while forensics (Chapter 25) establishes the truth — what was touched, how they got in, what left. KAPE and Velociraptor serve the urgent triage; Volatility, Autopsy, and Plaso serve the deep reconstruction. Acquire in order of volatility (memory before disk), work on copies, and hash everything (bluekit's evidence_hash, Chapter 25) so the evidence holds up.
⚖️ Authorization & Ethics: Forensic tools read everything — deleted files, browser history, private messages. Use them only on systems and data you are authorized to investigate (your organization's assets, with appropriate HR/legal involvement for employee devices), preserve chain of custody, and treat what you find with the discretion an investigation demands. The lost-device and insider-threat playbooks in Appendix D flag exactly where legal must be in the loop.
C.8 Cryptography and TLS testing
Cryptography is only as good as its configuration (Chapters 4 and 5). These tools generate, inspect, and test cryptographic material and TLS deployments — verifying that the encryption protecting your own services is actually strong.
| Tool | One-line purpose | Chapter | Note |
|---|---|---|---|
| OpenSSL | The ubiquitous toolkit and library for TLS/crypto operations — generate keys and CSRs, inspect certificates, test a server's TLS, and compute hashes from the command line. | 4, 5, 20 | The Swiss-army knife; openssl s_client, x509, genrsa, and dgst are daily defender commands. |
| testssl.sh | Open-source script that probes a TLS service and reports protocols, cipher suites, certificate health, and known vulnerabilities (e.g., weak ciphers, expired certs) in one run. | 5, 9 | Run against your own services to validate TLS configuration before an auditor does. |
| SSLyze | Fast, scriptable TLS-configuration scanner — analyzes a server's TLS settings and certificate for weaknesses, with machine-readable output for pipelines. | 5, 9 | Authorized targets (your endpoints) only. |
| Hashcat / John the Ripper | Password-recovery tools — for a defender, used in authorized password-strength audits to find weak/crackable credentials in your own directory before an attacker does. | 16 | Authorized internal audits only, on hashes you are entitled to test; document scope and handling. |
| mkcert / step-ca / cfssl | Generate and manage certificates and a private CA for internal services and labs. | 5, 20 | Internal PKI and lab use. |
| age / GnuPG (GPG) | Modern (age) and classic (GPG) file encryption and signing for protecting data at rest and verifying integrity/authenticity. | 5 | Encrypt your own data; verify signatures on software you install. |
testssl.sh and SSLyze answer the practical, audit-facing question "is the TLS on this service actually strong, and is the certificate about to expire?" — the kind of finding bluekit's cert_days_left (Chapter 20) automates. Hashcat and John are dual-use: the same engine that cracks passwords for an attacker is what a defender runs, under authorization, to prove that the organization's password policy resists cracking — pairing with Chapter 16's strength and breached-password checks.
C.9 Secrets scanning
A long-lived credential committed to source control is the single most common serious cloud finding (Chapter 15) and the core of Chapter 20's secrets-management discipline. These tools find secrets before an attacker does — in your own repositories.
| Tool | One-line purpose | Chapter | Authorization note |
|---|---|---|---|
| Gitleaks | Open-source scanner that detects hard-coded secrets (API keys, tokens, passwords) in Git repositories, history, and files using regex and entropy. | 20, 31 | Scan your own repositories, including full history; wire into pre-commit and CI. |
| TruffleHog | Open-source secrets scanner that finds credentials across repos and other sources and can verify whether a found credential is still live. | 20, 31 | Your own repos/sources; verification touches the credential's provider — keep it to your own keys. |
| detect-secrets (Yelp) | Open-source scanner designed for a pre-commit hook with a baseline file, preventing new secrets from being committed. | 20, 31 | Your own repos; baseline-driven to manage false positives. |
| git-secrets (AWS Labs) | Pre-commit/commit-msg hook that blocks commits containing patterns that look like AWS keys and other secrets. | 20 | Local developer guardrail on your own repos. |
| Trivy | Also scans filesystems and images for embedded secrets (see C.4). | 20, 31 | Your own artifacts. |
The Chapter 20/31 lesson: scanning is the backstop, not the fix. The real solution is to never put the secret in the code at all — use a secrets manager or vault and short-lived, rotatable credentials (the roles-over-long-lived-keys argument from Chapter 15). Run bluekit's scan_secrets concept (Chapter 20) and these tools as pre-commit hooks and CI gates so a secret is caught before it lands in history, where rotating it (not deleting the commit) becomes the only safe remediation.
⚠️ Common Pitfall: Deleting a leaked secret from the latest commit and assuming it is gone. Git history is forever and is mirrored across every clone and fork; a secret committed even once must be treated as compromised and rotated, not merely removed. Secrets scanners search history precisely because the secret you deleted yesterday is still in the log.
C.10 Detection-as-code
The highest-leverage shift in modern defense is treating detections as version-controlled, testable, shareable code (Chapter 22). These formats and tools let you write, share, and run detection logic portably — the detection content layer that sits on top of the SIEM (C.2) and endpoint telemetry (C.3).
| Tool / format | One-line purpose | Chapter | Note |
|---|---|---|---|
| Sigma | A generic, vendor-neutral signature format for SIEM detections — write a rule once in YAML and convert it to Splunk SPL, Elastic EQL, Sentinel KQL, and more. | 21, 22 | The "write once, deploy anywhere" detection format; the open detection-engineering lingua franca. |
| YARA | Pattern-matching rules to identify and classify malware and attacker artifacts in files, memory, and disk. | 22, 24, 25 | Hunt for known-bad across endpoints and evidence; pairs with EDR and forensics. |
| Suricata / Snort rules | Network-detection signatures for IDS/IPS — the format Emerging Threats and commercial feeds ship. | 7, 10, 22 | Deploy on your own sensors; tune to your environment. |
| Sigma rule repositories / SigmaHQ | Community libraries of ready-made Sigma detections mapped to MITRE ATT&CK techniques. | 22 | Adapt community rules to your data sources; do not deploy blind. |
| MITRE ATT&CK / ATT&CK Navigator | The knowledge base of adversary techniques and a tool to map your detection coverage against them. | 2, 22, 24 | The framework that organizes detection coverage (bluekit's attack_technique, Ch. 22). |
| Atomic Red Team | Open library of small, safe tests that emulate single ATT&CK techniques so you can validate whether your detections fire. | 22 | Authorized environments only — run in your own lab/test estate to test detections, never on production without scope and approval. |
This is where Chapters 21 and 22 converge into practice. Sigma decouples your detection logic from your SIEM vendor, so the rules survive a platform migration and can be shared across the community mapped to ATT&CK. YARA does the same for file/memory indicators. Atomic Red Team closes the loop — you write the Sigma/YARA rule, run the corresponding atomic test in your lab, and confirm the alert actually fired, turning detection from hope into a tested control. Coverage is measured against MITRE ATT&CK (Chapter 22's attack_technique; Chapter 36's coverage metric), so the framework, the format, and the validation tool form one workflow.
🔗 Connection: Detection-as-code is the same engineering discipline the whole book argues for, applied to detections: version-controlled, peer-reviewed, tested, and measured against a framework (ATT&CK). It is what turns the SIEM of Chapter 21 from a log bucket into a maturing detection capability, and it is the content that the metrics of Chapter 36 (
mttd,coverage) actually measure.
C.11 Choosing and combining tools
A defender does not need every tool here — they need the right combination for their environment and the discipline to operate it. A pragmatic open-source starter stack for a small team, mapped to the functions above:
- Visibility: Zeek + Suricata on a network tap (C.1); Sysmon + osquery on the hosts (C.3).
- Centralization: Wazuh or the Elastic/OpenSearch stack as the SIEM (C.2).
- Detection content: Sigma rules (converted to your SIEM) + YARA, validated with Atomic Red Team (C.10).
- Posture: Lynis/OpenSCAP for host hardening audits (C.6); Prowler/ScoutSuite for cloud (C.5); Trivy + Gitleaks in CI (C.4, C.9).
- Response: Velociraptor + KAPE for triage, Volatility + Autopsy + Plaso for deep forensics (C.7).
Three closing principles carry across every category:
- The tool is the substrate; the process is the security. A SIEM with no tuned detections, a scanner whose findings nobody triages, a CSPM dashboard nobody acts on — each is the recurring failure of "technology without process and people." Every tool here serves a process taught in the chapters; the tool does not replace it (Theme 1).
- Authorization is non-negotiable for anything that probes. Port scanners, vulnerability scanners, web scanners, secrets scanners, and password auditors are defensive only against assets you own or are explicitly scoped to test. The same
nmap, OpenVAS, or Hashcat is a defender's asset on your network and a crime on someone else's. When in doubt, do not scan. - Verify your own supply chain. Download tools from official sources, check signatures or checksums, and keep them updated — the Chapter 29/31 lesson applied to your toolkit, because a defender compromised through a backdoored tool is no defender at all.
The authoritative, current source for any tool is its own project documentation; treat this appendix as a map of what exists and what it is for, not as installation instructions. The chapters teach the concepts; these tools are how you practice them, in your own lab, on your own systems, under your own authorization.