32 tools every cyber pro needs to recognize.

Packet capture and analysis. The default network-protocol analyzer for 25+ years. Every NetOps + SOC + IR + reverse-engineer learns it.

::learn wireshark.org · official docs + Chris Sanders' Practical Packet Analysis textbook

Command-line packet capture. Wireshark's CLI ancestor. Lighter weight for headless servers + production captures.

::learn tcpdump.org · manual page is canonical

Network security monitoring framework. Generates structured logs of network activity. Defensive analysis layer above raw capture.

::learn zeek.org · official documentation

Network IDS/IPS with rule-based detection. Often paired with Zeek for full detection coverage.

::learn suricata.io · official rule sets via Emerging Threats

Network discovery and port scanning. The canonical tool taught in every intro-to-pentest course. Has its own scripting engine (NSE).

::learn nmap.org · Nmap Network Discovery (Lyon) is the definitive book

Faster than Nmap for internet-scale scans (millions of IPs). Used by both defenders mapping their attack surface and researchers studying internet posture.

::learn github.com/robertdavidgraham/masscan

Template-driven vulnerability scanner. Community-curated YAML templates for CVEs and misconfigurations. Defenders use it for asset coverage.

::learn github.com/projectdiscovery/nuclei · their academy is free

Search engine for internet-connected devices. Defenders use it to find their own exposed assets before attackers do.

::learn shodan.io · official documentation + Shodan CLI

The dominant web-application security testing platform. Community Edition free; Pro version industry-standard for AppSec pros. Required for OSCP/OSWE prep.

::learn portswigger.net · their Web Security Academy is free + the canonical web-security textbook

Open-source alternative to Burp Suite. Strong CI/CD integration story. Used heavily in DAST pipelines.

::learn zaproxy.org · official getting-started + ZAP-in-CI integration guides

SQL injection automation tool. Used by defenders for testing their own application's resilience. NEVER use against systems you don't own or have explicit authorization to test.

::learn sqlmap.org · official documentation only · use in lab environments

Not security tools per se, but every web AppSec pro uses them to inspect and replay API calls under controlled conditions.

::learn postman.com / insomnia.rest · official docs

NSA-developed reverse-engineering framework. Open-source since 2019. Strong competitor to commercial IDA Pro. Required for malware-analyst roles.

::learn ghidra-sre.org · NSA's own training material + Practical Malware Analysis textbook

Commercial reverse-engineering standard for 25+ years. Hex-Rays decompiler is the industry-best. IDA Free has limitations but learns the workflow.

::learn hex-rays.com · free trial + The IDA Pro Book (Eagle)

Memory-forensics framework. Reads memory dumps from infected systems to extract IOCs, find injected code, recover artifacts. Required for IR roles.

::learn volatilityfoundation.org · The Art of Memory Forensics textbook

Windows debuggers. x64dbg open-source, WinDbg from Microsoft. Used in malware analysis and exploit research.

::learn x64dbg.com · official docs · Microsoft Learn for WinDbg

Open-source intelligence + link-analysis. Visualizes relationships between entities (domains, emails, IPs, people). Used in threat-intel research + investigative journalism.

::learn maltego.com · Community Edition free + their academy

Automated OSINT collection. Aggregates many sources into a single investigation. Used by defenders to inventory their public footprint.

::learn github.com/smicallef/spiderfoot · official docs

Multi-engine malware-scanning + threat-intel platform. Defenders use it for IOC lookups + sample analysis. Free + paid tiers.

::learn virustotal.com · official docs

Threat-intelligence sharing platform. Open-source. Used by SOCs + ISACs to share IOCs and TTPs.

::learn misp-project.org · official getting-started + community sharing groups

Dominant commercial SIEM. Splunk SPL (search language) is industry-standard. Heavy enterprise + DoD presence.

::learn splunk.com · Splunk Free tier + their Boss of the SOC training

Open-source SIEM (Elasticsearch + Logstash + Kibana + Beats). Free for small deployments. Strong adoption in defender community.

::learn elastic.co · their documentation + free trial

Microsoft Sysinternals tool that generates rich Windows event logs. Foundational for any Windows endpoint detection program. Free.

::learn Microsoft Sysinternals docs + SwiftOnSecurity Sysmon config

Open-source format for SIEM detection rules. Platform-agnostic (compiles to Splunk SPL, Elastic DSL, Sentinel KQL, etc.). The MITRE-ATT&CK-mapped detection language.

::learn github.com/SigmaHQ/sigma · the Sigma Specification docs

SQL-queryable view of endpoint state. Asset inventory, file integrity, process listings — all via SQL. Open-source.

::learn osquery.io · official documentation + their fleet of training material

Open-source IR + threat-hunting platform. Query endpoints at scale during incidents. Built by Rapid7 and now community-maintained.

::learn docs.velociraptor.app · official documentation

Open-source digital-forensics platform built on The Sleuth Kit. Used in DFIR + law enforcement investigations.

::learn autopsy.com · official documentation + DFIR training programs

Google's open-source remote-forensic framework. Used at scale for fleet IR + threat-hunting.

::learn grr-doc.readthedocs.io · official documentation

Knowledge base of adversary tactics + techniques + procedures. Not a tool but a framework — every detection engineer uses it. Free + open.

::learn attack.mitre.org · the framework itself · MITRE Caldera for adversary emulation

Automated adversary-emulation platform from MITRE. Test your defenses against ATT&CK techniques without manual scripting.

::learn caldera.mitre.org · official documentation

Library of small, executable tests mapped to ATT&CK techniques. Defenders use them to verify their detections actually fire. From Red Canary.

::learn atomicredteam.io · Red Canary's training material

Pattern-matching language for malware identification. Defenders write YARA rules to detect known malware families + variants. Foundational malware-analysis skill.

::learn virustotal.github.io/yara · official documentation + The Yara-Forensics field guide