A curated directory of 125 SaaS platforms with free tiers, documenting abuse surface, OPSEC profiles, detection patterns, C2 framework mappings, and operational limits for security research.
Threat actors increasingly abuse legitimate SaaS platforms for phishing, C2, exfiltration, and payload hosting because the traffic blends with normal business activity. Defenders need to know which services are abused and how. Red teamers need to pick the right platform for the job without guessing.
LOLFSaaS provides structured, per-platform intelligence across 30+ fields so you can answer questions like:
- Which platforms let me sign up with no email, no credit card, nothing?
- Which trusted domains support C2 with known framework implementations?
- What rate limits constrain my beacon interval on Telegram vs Discord vs Slack?
- Does the platform log my activity? Will a SOC flag it? How fast will I get banned?
- Can I bring my own domain? Does it support domain fronting or CDN redirection?
Every entry is cross-referenced with lolc2, lolexfil, and the LOTS Project, and backed by 284 references from threat intelligence reports and security research.
| Metric | Count |
|---|---|
| Total platforms | 125 |
| Trusted domains | 79 |
| Zero-signup services | 19 |
| Custom domain support | 42 |
| Domain fronting / CDN redirection | 6 |
| C2 framework implementations linked | 124 |
| Exfiltration tool mappings | 122 |
| Platforms with detection patterns | 69 |
| MITRE ATT&CK mappings | 125 |
| Threat intel references | 284 |
| Category | Count | Examples |
|---|---|---|
| C2 Channel | 43 | Telegram, Discord, Slack, Teams, Graph API, Notion, Airtable, OpenAI |
| Cloud | 19 | AWS, Azure, GCP, Cloudflare, Vercel, Netlify, Render, Firebase, Supabase |
| Phishing | 17 | Google Forms/Sites, DocuSign, Canva, Loom, Calendly, LinkedIn, Figma |
| Storage | 14 | Mega, Box, Wasabi, Backblaze B2, GoFile, Mediafire, iCloud, Filebin |
| Paste | 7 | Pastebin, Rentry.co, ZeroBin/PrivateBin, Termbin, paste.ee, Sprunge |
| DevOps | 6 | GitHub, GitLab, Bitbucket, Azure DevOps, Gitee, Codepen |
| Business App | 6 | Salesforce, ServiceNow, HubSpot, ClickUp, Trello, Evernote |
| 5 | SendGrid, Amazon SES, Twilio, Mailgun, Mailchimp | |
| Website Builder | 3 | Wix, WordPress.com, Webflow |
| Redirector | 3 | Bitly, TinyURL, Rebrandly |
| SSO Target | 2 | Okta, Azure AD / Entra ID |
| Platform | Frameworks |
|---|---|
| Discord | 12 |
| Telegram | 10 |
| Slack | 10 |
| Microsoft Graph API | 7 |
| Azure | 5 |
| Platform | Tools |
|---|---|
| AWS (S3/Lambda/SES) | 16 |
| Azure (Functions/Blob/CDN) | 14 |
| Wasabi | 11 |
| Backblaze B2 | 10 |
| Google Cloud | 8 |
Every entry carries 30+ fields across these groups:
name · url · category · provider · signup · signupTime · verification · domains[] · trustedDomain · lastVerified
abuse.phishing · abuse.c2 · abuse.exfil · abuse.payload · abuse.creds
opsec (low/medium/high) · opsecNotes · socDetection (likely/moderate/unlikely) · banRisk (low/medium/high) · banNotes · trust (high/medium/low/none)
domainFronting · domainFrontingNotes · customDomain · customDomainNotes · apiEndpoints[]
rateLimits · maxFileSize · dataRetention · logging
freeTier.type (free/trial/none) · freeTier.devAccount · freeTier.trialDays · freeTier.limits
sso.saml · sso.oidc · sso.scim · sso.oauth · sso.mfa · sso.notes
knownC2[] (name + url from lolc2) · exfilTools[] (name + url from lolexfil) · mitre[] · refs[] (title + url) · detection[]
Search - full-text across all fields: names, domains, notes, MITRE techniques, SSO details
Filters - category chips, abuse type toggles, OPSEC level, signup type, auth protocols, trusted domain only, domain fronting only, has C2 frameworks
Sorting - ordinal sorting for risk columns (HIGH > MED > LOW), alphabetical for text, count-based for C2 frameworks and exfil tools
Detail overlay - click any row to open a full-screen view with all fields, shareable via unique URL hash (e.g. #Cloudflare-(Workers%2FPages%2FR2%2FTunnels))
Share links - every service has a direct URL you can share or bookmark
Contribute - pre-filled GitHub issue template per service for community updates
| Source | Contribution |
|---|---|
| lolc2 | 35 services with 124 C2 framework implementations |
| lolexfil | 122 tool-to-service links across 35 platforms |
| LOTS Project | 19 trusted domain entries cross-referenced |
| Vendor documentation | Pricing pages, SSO docs, API docs per platform |
| Threat intelligence | Reports from Symantec, Fortinet, NVISO, Cofense, Check Point, CYFIRMA, Intel 471, SANS ISC, HC3/HHS, Dark Reading, Proofpoint, Darktrace, Microsoft, AdGuard, and others |
MIT
Community contributions welcome.
