An interactive directory of 125+ SaaS platforms cataloging their value for offensive operations, adversary simulation, and security research.
LOLFSaaS cross-references lolc2, lolexfil, and the LOTS Project to provide the most comprehensive per-platform intelligence available for offensive security practitioners.
Every entry includes:
- Trust level - Is this domain whitelisted by enterprise proxies and email filters?
- Abuse surface - Phishing, C2, exfiltration, payload hosting, credential harvesting
- OPSEC risk - How likely is this activity to be noticed?
- SOC detection - Will a SOC flag traffic to this service?
- Ban risk - How aggressively does the platform enforce against offensive use?
- Verification requirements - What's needed to sign up? Email only? CC? Phone? Identity?
- Auth protocols - SAML, OIDC, SCIM, OAuth, MFA support per platform
- Free tier details - What you get for free, trial durations, developer account limits
- Known C2 frameworks - Direct links to 125+ C2 tools from lolc2 mapped to their SaaS channels
- Exfiltration tools - rclone, MEGAcmd, GraphRunner, DET and more mapped per platform
- Detection signatures - API endpoints and domain patterns to monitor
- MITRE ATT&CK mapping - Techniques per platform
- Official documentation - Pricing, SSO, and API docs linked per entry
125 SaaS platforms across 12 categories:
| Category | Count | Examples |
|---|---|---|
| C2 Channel | 30+ | Telegram, Discord, Slack, Teams, Notion, Airtable, Postman |
| Cloud | 16 | AWS, Azure, GCP, Cloudflare, Firebase, Vercel, Render, Replit |
| Phishing | 14+ | Google Forms/Sites, DocuSign, Loom, Calendly, Canva, LinkedIn |
| Storage | 12+ | Mega, Box, Wasabi, Backblaze B2, Mediafire, iCloud, Filebin |
| DevOps | 6+ | GitHub, GitLab, Bitbucket, Azure DevOps, Gitee, Glitch |
| 5 | SendGrid, Amazon SES, Twilio, Mailgun, Mailchimp | |
| Paste | 7 | Pastebin, Rentry.co, ZeroBin/PrivateBin, Termbin, Sprunge |
| Redirector | 3 | Bitly, TinyURL, Rebrandly |
| Business App | 7 | Salesforce, ServiceNow, HubSpot, ClickUp, Trello |
| Website Builder | 3 | Wix, WordPress.com, Webflow |
| SSO Target | 2 | Okta, Azure AD / Entra ID |
| Other | 5+ | Splunk, Imgur, Adobe Express, Tumblr, Blogger |
LOLFSaaS aggregates and cross-references data from:
- lolc2 - 35 SaaS services with C2 framework implementations
- lolexfil - Exfiltration tools mapped to cloud storage targets
- LOTS Project - Trusted domain abuse catalog
- Official vendor documentation - Pricing pages, SSO docs, API references
The interactive directory supports filtering across 8 dimensions:
- Category (Cloud, C2 Channel, Phishing, Storage, DevOps, Email, Paste, etc.)
- Abuse type (Phishing, C2, Exfiltration, Payload, Credentials)
- OPSEC level (Low, Medium, High)
- Signup type (None, Email, Email+CC, Phone, Trial, Dev)
- Auth protocols (SAML, OIDC, SCIM, OAuth, MFA)
- Trusted domain only
- Domain fronting support
- Has known C2 framework
We welcome contributions. Each platform entry follows a structured data model with required fields. See CONTRIBUTING.md for the schema and submission guidelines.
Every entry includes a lastVerified date - if you notice outdated information (changed free tier limits, new verification requirements, updated policies), please submit a PR.
MIT
- lolc2 for the comprehensive C2 framework catalog
- lolexfil for exfiltration tool mappings
- LOTS Project by @mrd0x for the trusted domain abuse catalog