Blue Team Resources
Blue Team Resources


1) –


The initiative was started in 1998 to help combat spam email and the proliferation of spam websites. The community is one of the largest in the world and includes more than 50 ISPs, law enforcement agencies, research institutions, and the Swiss Federal Office for Information Security (FOIS).

When a website is found to be hosting or linking to spammy content, it is added to a blacklist by volunteers who then share this list with other ISPs who can then block access to these malicious sites.The initiative was started in 1998 to help combat spam email and the proliferation of spam websites. The community is one of the largest in the world and includes more than 50 ISPs, law enforcement agencies, research institutions, and the Swiss Federal Office for Information Security (FOIS).

2) Threat – is a great solution for security teams to get their threat intelligence data from the web, and to take action on it.


There are many different sources of threat intelligence data available, but these sources are scattered across multiple sites, so that you have to search through many pages to find what you’re looking for. The spread of data across different sites makes it hard for security teams to manage their work. was created to solve this problem. It allows security teams to get all the latest information about threats in one place. It provides free APIs as well.

3) Virus Total –


VirusTotal is a free online service that analyzes files and URLs, providing information about malware and other threats.


VirusTotal was founded in 2004 to offer the first open online scanning service for the public. It has grown to become one of the most popular malware detection services on the internet. VirusTotal is based in Spain and has been acquired by Google in September 2012.


Here is the homepage of VirusTotal:


4) IP Void –


IPVoid is a collection of IP related tools such as IP Blacklist check which is the most popular, IP Geolocation lookup, and some URL and DNS related tools as well. You can use these tools for investigating a particular artifact or perform Network and DNS troubleshooting.

5) IBM XForce Exchange –


The X-Force Exchange is a free platform that lets you find, create and sell new vulnerabilities. It is an open marketplace where security researchers can buy and sell their research data and share knowledge to make the internet safer.


IBM created the X-Force Exchange to help customers find out about newly discovered vulnerabilities in their systems and make sure they are not vulnerable to the latest threats.


Dashboard of IBM X-Force Exchange:


6) Microsoft SysInternals –


Microsoft Sysinternals is a software suite that provides administrators with a set of powerful tools for troubleshooting and diagnosing system problems and tuning system performance.


Sysinternals was originally created by Mark Russinovich, and it’s now maintained by Microsoft. The suite has been downloaded over 1 billion times since its creation in 1996. The site and tools are owned and operated by Microsoft, but they are not supported or endorsed by them.


The Sysinternals web site is hosted by the Microsoft Corporation, with servers in the USA. The website was designed to be accessible to everyone, including people with disabilities using assistive technologies like screen readers and screen magnifiers.

7) –


Shodan,io is a search engine for Internet-connected devices. It’s a free tool that allows people to find specific types of devices and see how they are connected to the internet. .The website’s slogan is “Searching for devices connected to the Internet,” and the results of a shodan search include lots of information. Users can also use an address or IP to find computers on a network or devices with specific open ports.


Shodan is a search engine for internet-connected devices. Specifically, it has been designed to find devices that are publicly accessible on the internet and have not been protected with a password. Shodan makes use of the existing infrastructure of the internet to gather data about devices connected to the internet.


Shodan is also a tool for system administrators, security professionals, and hackers that allows one to scan the internet for vulnerable systems, find specific types of devices, or discover newly connected devices.

8) Any.Run –


Any.Run is a free service that allows you to run any application on any operating system. It does this by taking advantage of system virtualization, which has been around for quite some time.


It is similar to VMware Workstation and Oracle VirtualBox, but it does not require you to purchase or install any software. It also runs on Windows, Linux, and MacOS. It will allow you to run multiple virtual machines simultaneously in your browser. Each one of these VMs will have its own operating system and set of permissions.

9) MXToolBox –


A set of email related tools that help you analyze components of an email from Email domain to the entire header and give you results that you can investigate to find out whether an email is a phishing email or not.

10) Hash function + Salt Decrypter –


This tool lets you decode most of the hashed values by comparing it with a database of precomputed hash values and gives you the original string. Indeed, a very powerful tool to crack passwords.

11) AbuseIPDB –


AbuseIPDB is a free and open-source community project that collects information on IP address abuse. The data collected is stored in an SQLite database and displayed in a web interface.


The original AbuseIPDB was created by Paul Vixie in 2002, who then passed the baton to Daniel Roesen in 2009, who later handed it off to Richard Henderson. In 2016, I took over management of AbuseIPDB.

12) URLVoid –


Similar to IP Void, URL Void checks for URL reputation and history.

13) SourceForge for Open-Source Software – is a web-based software development tool that offers a variety of features to help programmers and developers share projects, manage source code, track defects, submit patches, and more.


While the site was founded to allow users to distribute free software over the internet, it now also hosts thousands of other projects including both open-source and closed-source commercial software.

14) Tenable Nessus –


Nessus is a vulnerability scanner that can check the security of your network. It uses a database to look for vulnerabilities in your system and lets you know how secure your network really is. You can also use it to scan AWS instances or other cloud instances, making it one of the best security scanning tools on the market.


My Nessus Dashboard:


15) Browserling –


In the age of multi-screen web browsing, Browserling is a browser for cross-browser testing. It founded in 2012 and has been around for almost 5 years.


Browserling has been used by companies like BBC, Yahoo, Google, Microsoft, Facebook, Twitter and to test their websites across different browsers and platforms.


As Security Analysts, we can use it to browse malicious URLs and find out what it redirects to very quickly and take a snapshot of it.

16) Hybrid Analysis –


Hybrid-analysis is a unique website that provides an in-depth analysis of cyber attacks. The site contains an impressive amount of information, with statistics on the different types of attacks that have been carried out over the past few months being available to users.


One particularly interesting section is the one dedicated to cyber attack vectors. This section provides a high level overview of how a cyber attack can be carried out, and how the different types of attacks are conducted. It’s useful for both companies who want to carry out a penetration test and security professionals who want to understand how hackers operate.

17) OSINT Framework –


The OSINT framework is a cybersecurity structure that consists of a collection of OSINT technologies that may be used to find information about a target more quickly and easily. It is a web-based platform that allows you to browse several OSINT tools on various themes and goals based on your requirements.

18) Hatching Triage –


Triage is Hatching’s new and revolutionary malware sandboxing solution. It leverages a unique architecture, developed with scaling in mind from the start. Triage can scale up to 500.000 analyses per day, an unprecedented number for a sandboxing service. Need to register and wait for approval. Has more options that Any.Run free version for VM Selection.

19) –


This tool is a free URL scanner that checks whether the site is blacklisted. Is it banned from Google, Facebook, Bing and Yandex. This website has got a database of more than 1 million sites.

20) Koodous –


It is a android malware analysis tool where we can search by package name or hash of the android APK file and scan it. The community will flag it is as malicious in case it is. This can be used to understand exactly what kind of apps we have installed on our Mobile.

21) Cisco Talos Intelligence Group:


Cisco Talos is a threat intelligence and cyber intelligence team that provides data analysis and threat research for Cisco. The team is made up of

researchers, engineers, analysts and researchers who use open source intelligence methods to monitor global internet traffic and malware activity.


They provide their findings to the Cisco security product portfolio to help protect customers from advanced cyber threats. The team monitors more than 500 million global devices every day, which allows them to identify trends in cybercrime and work with law enforcement agencies around the world to investigate malicious actors.


The Cisco Talos Intelligence Group also has a blog, which is updated daily.


Cisco Talos Home Page:


22) AlienVault OTX:


AlienVault OTX is a free, agentless, unified endpoint threat detection platform that provides actionable intelligence on your endpoints to detect and prevent cyberattacks.


OTX uses behavioral analytics to correlates activities across hosts in real-time, so you can block the attack (e.g., via SIEM integration), and remediate compromised devices.


AlienVault OTX Dashboard:



23) MITRE ATT&CK Navigator:


The ATT&CK Navigator is a web-based tool for annotating and exploring ATT&CK matrices. It can be used to visualize defensive coverage, red/blue team planning, the frequency of detected techniques, and more.


Here is how it looks when you create a new page:

Attack navigator

Attack navigator

24) Uncoder –


This website is another universal Sigma Repository powered by SOC Prime. You can paste a Sigma Rule and Convert it into almost any SIEM Tool Correlation Rule. A very handy tool for SOC Leads. They also have some documents inbuilt which you can make use of and convert it into a Correlation Rule for the platform of your choice.


Here is a look at the home page:


25) CyberChef –


CyberChef is a collection of tools developed by GCHQ that is called the “Cyber Swiss Army Knife”.


A simple web application that can be used to perform all types of Cybersecurity operations and can be really helpful in terms of Analysis for Cybersecurity professionals.

26) PhishTool –


PhishTool is a combination of threat intelligence, OSINT and email metadata that has been battle tested. This helps you respond to phishing attempts easier than before. Your extensive email security can protect your organization from phishing campaigns that other, less secure users may be susceptible to.


The phishing campaign will be fed into PhishTool. A manual review is then done by the PhishTool team to determine how much of a threat these phishing attempts may be. Once this has been determined, the relevant information is sent out to appropriate staff via email. You can also use our dashboard to see what we notified and what you can do to protect your organisation.


Improves response time to phishing attempts via automated threat intelligence, OSINT and email metadata- PhishTool’s extensive email security helps protect your organisation from phishing campaigns that less secure users may be vulnerable to.


Its Intuitive dashboard helps you manage what we have notified and see what you can do to protect your organization.

27) Joe Sanbox (Windows) –


Joe Sandbox is a cutting edge malware analysis engine. With a unique multi-technology approach, Joe Sandbox allows security specialists to analyze files on Windows machines using the latest machine learning techniques.

28) Email Dossier –


Used to investigate email addresses to check whether they are involved in Phishing activities.

29) Wireshark –


Wireshark is a packet sniffer and network traffic analyzer that can capture data from your local network. It lets you monitor the packets and analyze them later when you’re not connected to the internet. Wireshark is a packet sniffer and network traffic analyzer that can capture data from your local network. It lets you monitor the packets and analyze them later when you’re not connected to the internet. It has many features which include: Displays a list of captured packets with timestamps, sequence numbers, etc.

30) osquery –


osquery is an open-source operating system instrumentation framework for Windows, OS X (macOS), and Linux. It provides a broad set of tools for querying OS Kernels to account for a wide range of performance, availability, and security metrics. osquery can be used to monitor system events, gather performance metrics, identify malware or other unauthorized software running on a system, and more.