Because I go on camera and inadvertently create the impression that I know what I'm doing, I often get asked what the "best" tool for a given situation is. This question often comes from a place of wanting to invest time in learning a new tool, and folks want to make sure they're making a wise decision with their time.
Unfortunately, there is no "best" tool. There are only tools that work for you and don't. Everything else is just silly tribalism. People can get very loyal to brands, to operating systems, to...text editors. None of that is about technical advantages/disadvantages; it's entirely about being part of an in-group. Resist the urge to loyalty to tools. Get your work done with what works for you.
With that warning out of the way, I felt it was appropriate to put together a list of what works for me. That's all this is. I make no claims about any of these selections being better than others, much less "the best." They're the set of things I've cobbled together over years of experience and that I've become comfortable using. You may love them. You may not. Either way, I hope this list proves a valuable starting point for creating your own set of preferred security tools.
- Table of Contents
- How to Read This List
- How NOT to Read This List
- My Biases
- The Lazy Version
- Base System
- Cross-Functional Tools
- WebApp Pentesting
- Threat Hunting/DFIR
- Malware Analysis/Debugging
This is a list of tools I use across multiple job descriptions: web app pentesting, threat hunting, malware analysis, and more.
Each item in this list will have a link, an explanation of why I like it, some things I put up with while using it, and recommendations to configure it for best usability. Use these details as a starting point for your toolset, not a prescription. My methods and preferences will almost certainly not be yours, and that's okay! Even if you discover that you don't like these tools, this list has done its job by pointing you in a direction.
Of course, some of you hate reading, so I've provided the quick list of the tools detailed here for the impatient.
This is in no way an invitation to debate. If you think I'm wrong, that's fine. If you want to convince me you're right, let me stop you right there. I have no interest in debates about what tools are better. These tools work for me. If I find compelling evidence why I shouldn't use them, like if a CEO is weirdly into cryptocurrency, I'll change it up. I'm happy you have your preferences. These are mine. They don't have to be the same.
I want to be clear about some of my biases when choosing tools right up front. Take these with you as you evaluate this list.
- Whenever possible, I choose the open source option. Yes, I mean open source.
- I prefer cross-platforms tools for when I need to work on other OSes.
- I care about the ethics of the developers (and will make changes when I learn something new).
- I will choose interoperability over aesthetics.
Base System
- Operating System: KDE Neon
- Web Browser: Vivaldi
- Terminal (Linux): Terminator
- Terminal (Windows): Windows Terminal
- Shell: Fish
- Password Manager: Bitwarden
Cross-Functional Tools
- Text Editor: Vim
- Text Editor (alternate): VSCode
- Notes: Joplin
- Screenshots: Flameshot
- Terminal Multiplexer: Tmux
WebApp Testing
- HTTP Proxy: ZAProxy
- Directory Fuzzer: Feroxbuster
- API Testing: Insomnia
- Better cURL: HTTPX
Threat Hunting/DFIR
- IoC Management: Sigma
- Incident Response: Mandiant Redline
- Deep Analysis: Jupyter Lab
Malware Analysis/Debugging
Operating System: KDE Neon
This Linux distribution is based on Ubuntu LTS, but uses the latest packages from KDE to get you the latest and greatest features of the Plasma Desktop.
I've used so many Linux distributions over the years I've lost count. Yes—including Arch, both from scratch and prepackaged with the lovely (and now discontinued) Antergos. But the season of distrohopping or spending all my time and energy futzing with my OS has passed for me. I need my stuff to work with a minimum of configuration. That said, I do have some configuration I want easily available in my desktop environment. That's why the Plasma desktop is my preferred Linux DE. And for some time now, its resource usage has outperformed GNOME. It's not as lightweight as the tiling windows managers or XFCE, but it's light enough, with an attractive out-of-the-box appearance that enables you to get working quickly.
The package manager in KDE Neon is weird! For some reason they hate when you use apt upgrade. Instead they have their own pkcon tool for upgrading packages. It's fine, but I'd prefer they not mess with the standard tool.
Configuring your virtual desktops, keyboard shortcuts, etc. can make Plasma a joy to work with. I strongly recommend taking some time to configure these to your preferences.
Get comfy with snaps! Snaps (and Flatpak) are supported by the Discover software store, and allow easy installation of many common apps.
Web Browser: Vivaldi
Until recently, I was a steadfast Brave user. Then I learned some grodier stuff about how Brave's business model works, and the behavior of their CEO. Vivaldi fills my need for a privacy-respecting Chromium-based browser with a few extra features I really need and don't exist in plain ol' Chromium.
Vivaldi is Chromium-based, which means my must-have browser extensions all work fine with it. It also has the DevTools I prefer. I'm sorry Firefox, as much as I want you to be amazing, there are parts of my computing life that require some Goog-only tools (like casting). And before someone tells me how I can accomplish all this with Firefox: I know. I've tried. It's hacky and unreliable and I decided against it.
Vivaldi is fun! It feels like old-school Opera, with unexpected bells and whistles. Some fun stuff I didn't expect:
- Tiled tabs
- A neat little sidebar for apps like Mastodon or Wikipedia
- Add effects to pages like invert colors or sepia tone
Vivaldi also has cloud-synced profiles for extensions settings, and other data. This is essential for me, as I use these profiles to sync my pentesting setup from machine to machine.
Now you might have privacy concerns about this, which is fair. But good news: the entire profile is end-to-end encrypted with a master key of your choosing.
Some of Vivaldi's behaviors are weird, like how it handles tab movements from window to window. That just goes against muscle memory, but it's mostly fine. Same goes with how tab opening works, or the fact that you need to specifically configure it to always prefer HTTPS in the settings.
The one actually annoying thing I've found concerns dark mode. On Linux, Vivaldi does not honor system color schemes. Yes, you can add a dark theme to Vivaldi, but websites like GitHub and Microsoft Learn which are using OS-level settings for color scheme will default to light, as will any error pages. There is a Chrome flag you can set that will enable dark mode on everything, but that can add its own complications. I haven't found a good solution for this; I'm mainly hoping Vivaldi sorts it out in an upcoming version.
Make. Your. Own. Theme. Vivaldi has a built-in theme editor that is simple to use, and very fun!
Also definitely take the time to create a profile and sync it for easy movement of configs from machine to machine.
Terminal Emulator (Linux): Terminator
You need a terminal emulator. The built-in one in KDE (Konsole) is just fine. But Terminator has a lot of out-of-the-box features I enjoy, and enough functionality that you don't have to resort to a terminal multiplexer if you don't want to. That plus easy configuration for color and font themes win me over.
Some of my favorite features:
- Easy splitting of windows
- Broadcast mode to send the same commands to multiple panes
- Easy profiles/theme configuration
- Tabs and tiling
Don't forget to make terminator your command for Ctrl+Alt+T or whatever your favorite shortcut is!
Take some time to make a custom profile and save it somewhere you can move it between machines. That config lives at ~/.config/terminator/config.
Terminal Emulator (Windows): Windows Terminal
Hardly a unique choice, but I think it's important to call out how good this piece of software really is. It makes using multiple shells (PowerShell, cmd, WSL) in combination on Windows quite pleasant. And with some hidden superpowers, it's maybe my favorite first-party tool from Redmond.
Ever used PowerShell? Ever get tired of the blue window? How about the constant separate windows? Windows Terminal solves this with tabs, panes (yes, really), and handling multiple profiles for firing up shells of all kinds. It even integrates with your WSL installs (which you should absolutely be using) to put all your terminal needs in one place.
I think a fix for this is on the way, but for now opening Admin shells is still a bit odd for Windows Terminal.
Find a theme! Use it! Then customize your PowerShell experience following these steps.
Shell: Fish
Bash is Fine. Zsh is fine. But I'm a Terminal dork, and I wanted something a little more feature-filled. I happened upon Fish years ago, and have been satisfied with it ever since.
#!/usr/bin/fish
# Resize images in a directory
cd images
for i in (ls *.png)
convert -resize 50% resized-$i
endHow is that for some clean syntax? Maybe it's not POSIX-compliant, but honestly that never really gets in my way. Instead, I have a much cleaner scripting language.
What's more, Fish has top-rate command completion and history, better even than zsh. It is just a much more comfortable shell to use every day.
Sometimes, certain programs that expect a POSIX-compliant shell will have issues in Fish. You can drop to a bash or zsh session in those cases, or wrap the program invocation in bash -c if you really need to. It doesn't happen often, but it's worth knowing the workaround when it does.
Right away, install Oh My Fish to add extensions to fish, including themes and other capabilities.
I use OMF to install bobthefish, which provides Git symbology on the command line. To use it, you'll need Powerline enabled fonts, which you can get here.
Password Manager: BitWarden
I was a LastPass customer for over a decade. Their recent mismanagement of their security incident convinced me they could no longer be trusted with my information. However, their failure is not an indictment of the concept of a password manager. While some feel that a local-only solution like KeePass is the only "secure" solution, I feel strongly that tools like a browser-integrated password manager are necessary as long as passwords are around to improve the overall strength and uniqueness of users' passwords.
So, Bitwarden. They've been around for some time, offering both a hosted and self-hosted version of an open source password management solutions.
One thing I liked about LastPass was some of the custom data types they had out of the box, like bank accounts and SSH keys. Bitwarden lacks these, but can store the data nevertheless.
I'm still learning about Bitwarden, but I think my biggest recommendation for making it great is to use it. Like actually use it. Make it part of your everyday use of your browser. Use the mobile app. Tell your friends. Make weak passwords a thing of the past.
Text Editor: Vim
Use it or don't. It's not a religion and nobody's making you.
Let's get this out of the way. Vim is hard to use. Anyone who says otherwise is being pretentious and trying to appear superior. It's not the kind of text editor anyone starts with. It requires practice to gain proficiency. Many commands are unintuitive, or intuitive for a different generation.
This is starting to read like why I don't like it. And yet, I love Vim. It took me a while to get comfortable with it, but after forcing myself to do so, Vim became kind of a superpower for a lot of use cases. Processing text files with Vim makes many processes faster or cleaner. It can be a hex editor. It can filter values. Oh, and of course the regular expression support.
Well, it's Vim. You have to learn it. I think it's worth the time investment for the powerful tool you gain access to.
Vim has a vast plugin ecosystem. VimAwesome is where you'll find them. There are multiple Vim plugin managers, but I've settled on Vim-Plug.
My .vimrc is pretty specialized, but you can certainly see it as a starting point.
Text Editor for Programming: Visual Studio Code
I've used all the Electron-based text editors—all the way back to Adobe Brackets. Atom was cool, until it wasn't. Sublime Text is its own thing, and so is Notepad++. Kate on KDE is pretty neat as well, but for a single solution across platforms and languages, Visual Studio Code can't be beat.
Extensions. That's why. The extension ecosystem gives VSCode the benefits of an IDE without the bloat of an IDE.
I write Rust, I get the benefits of rust-analyzer. I write Hashicorp stuff, I have HCL syntax support.
Heck, I can even load Jupyter Notebooks if I want. I can even open the editor directly from Windows Subsystem for Linux and interact with my projects on that filesystem.
Memory bloat, I guess? I've honestly never had a real issue with VSCode. It's a very solid bit of kit.
Extensions make the difference. But one super important setting that isn't an extension is bracket pair colorization. This makes brackets and parentheses pairs use separate colors to make them easier to visually match. Not sure why this isn't a default, but it's suuuuper handy.
Notes: Obsidian
You might think it's weird for someone who wrote a whole dang C2 framework for a different notes app to be recommending this one. I promise there are good reasons.
I'm a text guy. Not everyone is. I know some folks take notes primarily by diagram. Me? I'm too hyperverbal for that. I like lists. I like paragraphs. I like headings. Put simply, I like Markdown, and anything that gets in the way of me writing Markdown for my notes is not a value-add. That's why Notion, as nifty as it is for several use cases, is not my preference for note-taking.
So why Obsidian? Why not another Markdown-based solution like Joplin, especially since that one is fully open-source?
For a long time, Joplin was the recommended note app in this section. And then I ran into some cases where its limitations started to bug me. In particular, a rather unhelpful task list format, as well as a poor mobile version, led me to re-examine Obsidian. When I did, I found I was much happier with it this time around. I use Obsidian Sync for end-to-end encryption, but I also like that I could use a Git repo.
But perhaps the most important difference between Obsidian and Joplin for me is that Obsidian uses flat Markdown files that you could read with anything else. Joplin creates this bizarre proprietary tree of diffs, almost like an ad-hoc Git repository itself. It's impossible to inspect the Joplin folder for the single note file you want. This presents a form of lock-in that made me increasingly uncomfortable. Obsidian removed that issue. My notes are simple folders of Markdown now, so if I choose to move on from Obsidian, the transfer process is painless.
By syncing encrypted notes with Obsidian Sync, I get the convenience of my notes everywhere with the security of end-to-end encryption. That makes Obsidian suited even for red team engagements, as described in Responsible Red Teaming.
Obsidian also has a rich publishing option that allows you to make a website directly from your Vault! I'm very excited at this prospect for knowledgebase creation.
The mobile app is just the desktop app with responsive scaling. That's both bad news and good news. The bad news is sometimes wonky interface choices. The good news, and this really blew me away, is that all the desktop extensions work on mobile! This was critical for me, as I rely on some of those extensions for my workflow, both at my desk and out in the world.
My list of must-have plugins for Obsidian:
Dracula Theme Official: Naturally.Kanban: The Trello-like task management is how I run my life.Excalidraw: The built-in Canvas tool is really neat, but come on! Who doesn't love those whimsical diagrams?Ozan's Image in Editor Plugin: Allows image previews in Markdown mode. This should be native.Copy Document as HTML: Does what it says. Copy the document or selection as HTML. Super useful for transferring to things like Google Docs.
Screenshots: Flameshot
Plasma Desktop has its own built-in screenshot tool which works well enough. As does Windows, of course. I lived and died by Win+Shift+S before I discovered Flameshot. Now, I use it basically exclusively for my screengrabbing needs.
It's cross-platform, for one thing. With Flameshot, I can standardize my screenshotting process across any OS I'm working on. Easy access to annotation/redaction tools makes it an even bigger win.
The only, ONLY thing that's a tad frustrating with Flameshot is that on Linux, you'll need to manually bind a key sequence to the command flameshot gui for keyboard access. Clicking on the taskbar icon works too, but I'm a keyboard guy.
I have Meta+Shift+F mapped to flameshot gui on my Linux machines.
In addition to setting keyboard shortcuts, setting your font and color preferences can really personalize your screenshots. Other than that, this thing is pretty much perfect out-of-the-box. Install it everywhere.
Terminal Multiplexer: TMux
If you're on a Linux system, you likely already have TMux installed, or it's readily available. TMux is another one of these tools that require some practice to use well, but I think it's quitel worth the time investment for the productivity wins.
Even though the terminal emulator I prefer (see above) can split panes, TMux can do so both locally and on a remote system, and does so much more fluidly than Terminator does. Once the keyboard shortcuts are muscle memory, it's trivial to fire up new tabs and panes to move about the environment, set up ad-hoc dashboards, or monitor systems/output.
Like Vim, TMux takes practice. The good news is, there are a ton of resources to learn. TryHackMe even has a room on TMux! I recommend going through it.
TMux Plugin Manager grants you access to some very useful extensions. My tmux.conf gives you some idea of what's possible, including saving sessions and making copy/paste easier.
HTTP Proxy: ZAProxy
No surprise here. I wrote an entire course on how to use ZAP for professional webapp testing. But I actually do love it. The ZAP team have created a powerful open source tool for web app testing that competes favorably with commercial alternatives. I started using ZAP when Burp Pro was not available through my employer, and I got comfortable enough with it to actually prefer ZAP.
This is going to bewilder some of you, but I find the ZAP user interface much easier to navigate than Burp's. I won't go so far as to call it intuitive—just too many knobs and levers for that—but I never get lost.
The Fuzzer in particular works extremely well, and getting comfortable with that aspect of the app will make your testing much more effective. The same is true for the authentication handling and context configurations, which allow you to specify what technologies you're attacking for a given context. Basically, I appreciate how configurable ZAP is for the specific test I'm doing.
And when I'm done, the reporting is invaluable. ZAP's built-in reports are not the only necessary artifact of a proper webapp test, but they provide important details such as specific parameters for a discovered vulnerability, as well as CWE listings to guide report recipients in remediation.
Like any Java application, ZAP could be more performant. Sometimes when handling large responses, ZAP freaks out and I've had to kill the window. Luckily sessions can be saved so recovery isn't too bad. I don't recommend running ZAP on anything less than 8GB of RAM.
ZAP will raise a ton of what I consider "junk" alerts by default. You'll want to configure some Global Alert Filters to adjust severity for your own situation.
ZAP's plugins really are something else. Here are a few I love:
- FuzzDB Lists
- Python Scripting
- Community Scripts
- Wappalyzer
- SAML
- JSON view
Python scripting is its own rabbit hole, but even the built-in Zest scripting can easily extend ZAP's abilities for you. Explore the script templates and community scripts to get a sense of what's possible.
I'd also recommend checking out the Automation features. These allow you to create scan templates and sets of tasks to be run for each new context. Takes a lot of the setup out of your testing process.
Directory Brute Forcer: Feroxbuster
There are tons of great options in this space. Dirbuster, GoBuster, and more. None of them have stayed slotted into my workflow like Feroxbuster. Sure, I'm inclined to like Ferox because it's written in Rust, but it's the featureset that keeps it on the lineup.
Feroxbuster is fast. Like crazy fast. Sometimes too fast (see below). But it gets the job done, and does so with a host of configuration options that work perfectly for my methodology.
Feroxbuster can be so fast that it can bring down less resilient servers. It's important to use the command-line options to run it at the correct speed and concurrency rate for your target. I tend to use -L 15 -t 15 for my default throttle, but that's 225 concurrent requests. If you need to slow it down, remember that your concurrent requests will be:
connection limit (-L) x threads (-t)
So 2 threads with a connection limit of 10 results in 20 concurrent requests.
It's really worth your time to read the surprisingly extensive documentation.
As above, read the docs. But here are a couple of options I love:
--burp-replay: Automatically sends any hits on your configured status codes (-s) to a proxy listening on port 8080.--auto-bailstops scanning directories with a ton of errors
API Testing: Insomnia
ZAP is great when there's a browser-based interface to test. That isn't always the case. Sometimes you're testing an API directly. I used to use Postman for this, but in keeping with my attempt to use open source tools whenever possible, Insomnia has filled the niche quite nicely.
Insomnia handles the gnarly parts of API testing fairly seamlessly, like OAuth token acquisition (assuming you have that information). It also makes adding additional headers simple. But perhaps the most important feature of Insomnia is that it does in fact accept Postman collection files as imports. This allows me to work with dev teams who use Postman as a matter of course.
Honestly, I'm still getting used to how Insomnia handles certain things, like separate spaces for different projects. In Postman, these were "Collections." Insomnia uses folders. Still works fine, just a different workflow.
Insomnia also has an extensive plugin ecosystem. I would check out some of the OAuth ones, and perhaps the cloud integrations, if that's your bailiwick.
cURL Alternative: HTTPX
This is not by any means required, but I bet you'll love it once you've tried it. cURL is great for quick testing of URLs, but it leaves a lot to be desired for the modern user. HTTPX picks up the slack, adding useful command line options to interact with URLs. Output is colorized as well.
Imagine if cURL were written with webapp testing in mind. That's pretty much it. The command line options say it all.
It's Python, so the normal installation weirdness applies. I strongly recommend pipx.
Well, sometimes you'll get JSON output, so jq should almost certainly be in the toolbelt.
IoC Management: Sigma
This one might be a bit obvious, but I'm including it anyway. If you're not using Sigma to generate/save threat detection rules, you should. Sigma means you're not locked into one vendor's weirdo format, and can easily convert rules from one platform to another.
In a word: sigmac. The Sigma Converter tool makes it simple to convert rules from a generic Sigma format to specific SIEM queries like Splunk, Azure, and more. It'll even export out to STIX for sharing. IoC Sharing is caring.
Not all the converted queries will work perfectly with your setup, depending on field/index names, so you may wish to create a custom conversion config.
What I just said.
Incident Response Triage: Trellix Redline
You've just gotten access to a compromised machine. You don't have your normal EDR. You don't have other logs. What are you going to do to get data quickly?
That's what Redline is designed for. Redline allows you to create customized collectors to gather exactly what data you want from an endpoint—including memory snapshots if you wish.
Redline is essentially a self-contained version of Trellix's (née FireEye) endpoint protection software. It uses the same tools to gather evidence, and then displays the evidence in a table-based interface. The collection is simple enough, and the display, while basic, beats the pants off Event Viewer.
The timeframe management just straight-up sucks. You can't paste timestamps in any format, and it's a hassle to move back and forth between views because those time filters may or may not be saved. Also, Windows Event logs can be collected, but aren't always parsed correctly, so searching by column of data is hit-and-miss.
I got nothing. I wish Trellix would update this thing, or any of the other tools they offer. I'm not holding my breath.
Deep Analysis: Jupyter
Well this one comes as no surprise either. I wrote 2 courses on this subject. But really, I can't stress how often I fire up Jupyter notebooks to perform in-depth investigations on collected data. Once you have this capability, it's a superpower.
I like Python. I like data science. I like Python for data science. But seriously, at the risk of repeating what I've written elsewhere, Jupyter allows the creation of reusable analysis tools that are self-documenting when written correctly.
Learning Python isn't exactly a simple prerequisite. There are other kernels besides Python, but none with the analytical toolset so ready to hand.
Use Jupyter Widgets. Seriously. And learn a data viz library, whether it's Plotly, Seaborn, Bokeh, or d3. Use it well to explain your data.
Disassembler: Cutter
Sometimes, you gotta look at the bytes. Cutter makes this easy across platforms! And by integrating the Ghidra decompiler, you can even get C-like syntax for your review.
It's full-featured, easy to use, and gets right to the point of analyzing binaries. What sets it apart from some others is some extra love for exotic binaries. I haven't found anything that parses Rust or Go-compiled samples as well as Cutter.
It claims to have a debugger built-in, but I've never seen it work. I really want it to. If the debugger worked, that'd be basically the only tool I'd need for most analysis tasks.
Cutter is fine as-is, but if you use it in conjunction with its CLI debugger counterpart (see below), you're really cooking' with gas.
Debugger: Rizin
All the cool features (and more!) of radare2 without grody developer behavior. Rizin is a fork of Radare, and this new dev team creates both Rizin and Cutter. I've been using both for some time and quite enjoy the experience—usually.
It's not GDB.
But seriously folks, I find the command structure much more intuitive for Rizin than the GNU debugger.
The debugging process is quite distinct from GDB's, requiring the use of rz-run scripts or one-liners to load input/arguments.
The command line syntax is unique, and takes some getting used to. I recommend going through the Rizin Book to learn the ins and outs.
Also, unfortunately the Python integration is not nearly as complete as it is for GDB. Scripted debugging is possible, but rather unwieldy. Which is why...
Visual mode is also...a lot. Again, it's about practice. But like a lot of other things on this list, the time invested in learning it is rewarded with remarkable capability.
...Rizin is best paired with an IPython3 REPL in a nearby terminal window. I like doing this with Tmux. IPython (installed with Jupyter) along with pwntools is the perfect companion to Rizin. It's a lot of terminal, but that's how I like to work.
Malware Disposition: PEStudio
This is the first install I make on a malware analysis machine. When investigating a malware sample, I like to work smarter, not harder. My malware analysis is not academic; it's in service of incident response or threat hunting. I don't need to know how every single subroutine works. I do need to quickly disposition a sample for evilness. PEStudio does this by checking for suspicious imports, strings, and VirusTotal results.
Does what it says on the tin.
It can be a little slow, so plan to get a sandwich or do some other analysis while it runs.
None, really. Consider this a first step in analysis, not a complete picture.
First Look: PE-bear
When you're ready to go a little deeper, PE-bear is a nice middleground between full-on static analysis and the quick disposition provided by PEStudio. With this, you get a hex view, stats, imports, and other information about the executable.
It's lightweight, cross-platform, and informative at a glance.
One killer feature is the comparison of 2 binaries side-by-side.
Nothing frustrating I've found so far, as long as you're using the tool for its purpose.
None so far. It's pretty great as-is!