Rawsec's CyberSecurity Inventory

An inventory of tools and resources about CyberSecurity.


Note: Paid resources may exist in a free limited version or a demo version

Bug bounty, pentest and disclosure platforms

Name Website Source Description Price
AVORD [Website] UK penetration testing platform Free
AntiHACK [Website] Singapore bug bounty platform Free
Bug Bounty Hub [Website] Bug bounty platform Free
BugBounty.jp [Website] Japan bug bounty platform Free
Bugcrowd [Website] Bug bounty platform Free
Bugv [Website] Bug bounty platform Free
Cobalt.io [Website] Crowdsourced pentest and bug bounty platform Free
Crowdswarn [Website] Crowdsourced pentest & bug bounty platform Free
CyberArmyID [Website] VDP & bug bounty platform Free
disclose.io [Website] VDP platform Free
FEDERACY [Website] Crowdsourced pentest & bug bounty platform Free
FireBounty [Website] Bug bounty program aggregator Free
HackenProof [Website] Bug bounty platform Free
HackerOne [Website] Bug bounty platform Free
Hackrate [Website] Bug bounty platform Free
HackTrophy [Website] Bug bounty platform Free
huntr [Website] A bug bounty platform dedicated to Artificial Intelligence (AI) and Machine Learning (ML) Free
Immunefi [Website] Bug bounty platform focused on DeFi (Decentralized Finance), blockchain and smart contract security Free
Inspectiv [Website] Bug bounty platform Free
IssueHunt [Website] Bug bounty platform Free
Intigriti [Website] Bug bounty platform Free
Open Bug Bounty [Website] Non-profit bug bounty platform Free
OpenCIRT [Website] Open Cyber Incident Response Team; coordinated vulnerability disclosure for softwares without VDP Free
Plugbounty [Website] Bug bounty platform for plugins, themes, extensions, libraries Free
RedStorm [Website] VDP & bug bounty platform Free
SafeHats [Website] Bug bounty platform Free
ScanTitan [Website] Crowdsourced pentest Free
SSD Secure Disclosure [Website] Rewarded responsible disclosure service Free
SynAck Red Team [Website] Crowdsourced pentest and bug bounty platform Free
Yes We Hack [Website] European bug bounty platform based on the legislation and rules in force in european countries Free
Yogosha [Website] Bug bounty platform Free
Zero Day Initiative [Website] Rewarded responsible disclosure service Free
Zerocopter [Website] Invite-only and closed bug bounty platform Free
ZeroDisclo.com [Website] Coordinated disclosure platform by YesWeHack Free

Challenges platforms

Name Website Source Description Price
ae27ff [Website] Challenge platform Free
Backdoor [Website] Practice area with some past CTF challenges Free
BattleHack [Website] Challenge platform Paid
Begin.re [Website] Binary reverse guided challenges for beginners Free
BugBountyHunter [Website] Learn how to test for security vulnerabilities on web applications with our various real-life web applications; security researcher tutorials, guides, writeups Paid
CanYouHack.It [Website] Challenge platform Free
Challenge Land [Website] Challenge platform Free
CryptoHack [Website] Crypto challenges platform Free
Cryptopals [Website] Crypto challenges platform Free
CTFLearn [Website] Challenge platform Free
CyberDefenders [Website] Training platform focused on the defensive side of cybersecurity, aiming to provide a place for blue teams to practice Free
DefendTheWeb [Website] Challenge platform Free
Electrica [Website] Programming, cryptography challenges Free
EnigmaGroup [Website] Challenge platform Free
Exploit Education [Website] Exercises and resources about vulnerability analysis, exploit development, software debugging, binary analysis, and general cyber security issues Free
Exploit Exercises [Website] VMs, documentation and challenges Free
FreeHackQuest [Website] [Source] Challenge platform Free
Flag4jobs [Website] Challenge platform with job offers Free
Gekkó [Website] Challenge platform Free
Graker [Website] Binary challenges having a slow learning curve, and write-ups for each level (SSH connection) Free
Hack The Box [Website] Challenge platform Paid
Hack This Site [Website] Challenge platform and community Free
HackBBS [Website] Challenge platform and community Free
HackCenter [Website] Private challenge platforms Free
Hacker Gateway [Website] Challenge platform Free
Hacker.org [Website] Challenge platform Free
Hacking Lab [Website] Challenge platform with teachers and solutions Free
Hackropole [Website] Challenge platform; challenges from previous years FCSC Free
HackThis!! [Website] Challenge platform Free
HackViser [Website] Challenge platform Paid
ImmersiveLabs [Website] Story-driven exercises and practical, gamified labs Paid
IO [Website] Binary challenges (SSH connection) Free
LOST-Chall [Website] Challenge platform Free
Microcorruption [Website] Platform including many challenges about embedded devices security; using a debugger the goal is to to unlock the smart lock device by finding vulnerabilities like memory corruption bugs; it involves assembly knowledge and reverse-engineering Free
Mod-X [Website] Challenge platforms through a fictional game Free
Net-Force [Website] Challenge platform Free
NCP [Website] NICE Challenge Project by the NIST and the NSA (for American students only) Free
Over The Wire [Website] [Source] Challenge platform Free
OWASP Juice Shop [Website] [Source] Online demo instance of the OWASP Juice Shop Free
Pwnable.kr [Website] Pwn challenges Free
pwnable.tw [Website] Pwn challenges Free
Rankk [Website] Programming, cryptography challenges Free
RedTigers Hackit [Website] PHP / SQL challenge platform Free
Reversing.Kr [Website] Cracking and Reverse Code Engineering challenge platform Free
Revolution Elite [Website] Math and programming challenges Free
Ringzer0Team [Website] Challenge platform Free
Root-me [Website] Challenge platform Paid
RoseCode [Website] Challenge platform Free
SecDim [Website] Defensive programming challenges, wargames and learning modules Paid
Security Traps [Website] Challenge platform Free
SmashTheStack [Website] Mostly binary challenges Free
Solve Me [Website] Challenge platform Free
SPOJ [Website] Programming challenges Free
Stereotyped Challenges [Website] Web challenges Free
Tasteless [Website] Challenge platform Free
TheBlackSheep [Website] Challenge platform Free
ThisisLegal.com [Website] Challenge platform Free
TryHackMe [Website] Challenge platform with deployable machines; there are also tutorials and courses Paid
TryThis0ne [Website] Challenge platform Free
Valhalla [Website] Challenge platform and community Free
Virtual Hacking Labs [Website] Virtual penetration testing environment with courses and VMs Paid
VulnHub [Website] VM-based challenges Free
VulnMachines [Website] Challenge platform Free
WebHacking [Website] Web challenges Free
W3Challs [Website] Challenge platform Free
WeChall [Website] Challenge platform Free
wixxerd [Website] Challenge platform Free
WTHack [Website] Challenge platform Free
yoire [Website] Challenge platform Free
Zenk-security [Website] Challenge platform and community Free
ZSIS CTF [Website] Challenge platform Free
µContest [Website] Programming challenges Free


Name Website Source Description Price
Archlinux security issues [Website] CVE affecting Archlinux Free
AttackerKB [Website] Forum for the security community to share insights and views that help security professionals better understand the risk in their environment and make more informed decisions around prioritization and defense Free
CISA Known Exploited Vulnerabilities Catalog [Website] Known Exploited Vulnerabilities Catalog Free
CVE Details [Website] Advanced CVE datasource Free
CVExploits [Website] Search engine to find exploits related to a CVE Free
Debian security issues [Website] CVE affecting Debian Free
Mitre [Website] CVE datasource standard Free
NVD [Website] CVE datasource Free
Red Hat security issues [Website] CVE affecting Red Hat Free
OpenCVE [Website] Customizable CVE dashboard, track vulnerabilities that concern you (previously named Saucs) Free
SUSE security issues [Website] CVE affecting SUSE Free
Ubuntu security issues [Website] CVE affecting Ubuntu Free
VULDB [Website] Community-driven vulnerability database Free
VulnIQ [Website] Vulnerability database with CVE, OVAL, CWE, CAPEC, etc. Free


Information, News, Blog

Name Language Website Source Description Price
hackndo French [Website] Blog about pentesting Free
InfoSecAdemy English [Website] Blog about pentesting Free
Hacking Loops English [Website] Blog about pentesting Free
KitPloit English [Website] Tools presentation and announcement Free
Latest Hacking News English [Website] Cybersecurity news, tools presentation and announcement Free
Offensive OSINT English [Website] OSINT articles from an offensive perspective Free
Pentest Blog English [Website] Blog targeting pentesters: security advisories, OS, appsec, network, tools, articles Free
Security List Network English [Website] Tools presentation and announcement Free

Knowledge and tools

Name Website Source Description Price
Argument Injection Vectors [Website] [Source] Curated list of exploitable options when dealing with argument injection bugs and association between CVEs and vectors Free
azure-mindmap [Source] Mindmap listing all possible compromise paths when faced with an Azure environment during a cloud security engagement Free
Bootloaders [Website] [Source] Curated list of known malicious bootloaders for various operating systems Free
bounty-targets-data [Source] Hourly-updated data dumps of bug bounty platform scopes that are eligible for reports Free
Bug Bounty Guide [Website] [Source] Launchpad for bug bounty programs and bug bounty hunters Free
Bug Bounty Hunting [Website] Search engine for bug bounty writeups, payloads and tips Free
Bug Bounty Reference [Source] A list of bug bounty write-up that is categorized by the bug nature Free
C2 Matrix [Source] A table comparing most C2 frameworks Free
Can I take over XYZ? [Source] List of services and how to claim (sub)domains with dangling DNS records Free
Cloud Security Atlas [Website] Risk register for cloud threats and vulnerabilities, search and filter by cloud provider platform, risk type, and sort by impact, exploitability, and recency Free
Cloudvulndb [Website] List all known cloud vulnerabilities and CSP security issues Free
ctf-tools [Source] Setup scripts for security tools Free
CXSECURITY [Website] Exploit index Free
deepdarkCTI [Source] Collection of Cyber Threat Intelligence sources from the deep and dark web Free
DefaultPassword [Website] Default passwords for many devices and services Free
dioterms [Website] [Source] Vulnerability disclosure policy templates; terms for Vulnerability Disclosure Policy (VDP) and Bug Bounty Policy (BBP) Free
Exploitalert [Website] Exploit index; semi-automatic intelligence supervised by a human operator to find publicly available exploits in the Internet Free
Exploit Database [Website] Exploit index; aka EDB or Exploit-DB; can be searched from the CLI with searchploit, sploitctl, getsploit and many other third party tools Free
Extended BApp Store [Website] Burp Suite extensions search engine Free
Filesec.io [Website] Curated list of file extensions being used by attackers Free
findsecuritycontacts.com [Website] [Source] List of security contacts for websites extracted from security.txt and dnssecuritytxt Free
Forensics Wiki [Website] Forensics tips and tools Free
fuzzdb [Website] Dictionaries of fault injection patterns, predictable resource locations, and regex for matching server responses Free
GHDB [Website] Google Hacking Database; Collection of google dorks Free
Guifre [Website] Security, system and network cheatsheets Free
GTFOBins [Website] [Source] Curated list/cheatsheet of Unix binaries that can be exploited by an attacker to bypass local security restrictions, obtain shells, read files Free
GraphQL Threat Matrix [Source] GraphQL threat framework to research security gaps in GraphQL implementations; documente features and limits of various engines Free
Hacking the cloud [Source] Encyclopedia of the attacks/tactics/techniques for offensive cloud exploitation Free
HackTricks [Website] [Source] Guide and cheatsheet for pentesting: shell, linux exploitation, windows exploitation, mobile app pentesting, network pentesting, web pentesting, binary exploit, forensics, crypto, backdoor, etc. Free
HackTricks Cloud [Website] [Source] Guide and cheatsheet for cloud pentesting: CI/CD, Kubernetes, GCP, GWS, AWS, Azure, Digital Ocean, IBM Cloud, etc. Free
Havoc store [Website] [Source] Havoc modules and extensions store Free
HijackLibs [Website] [Source] Tracking publicly disclosed DLL hijacking opportunities Free
HTML5 Security Cheatsheet [Website] XSS vector making use of HTML5, HTML4, CSS, DOM, UFT7, SVG, JSON, etc ... Free
Internal All The Things [Website] [Source] Active Directory, internal infrastructure and cloud penetration test, red team cheatsheets Free
Kaonashi [Source] Wordlist, hashcat rules and hashcat masks from Kaonashi project (RootedCON 2019) Free
Linux kernel syscall tables [Website] [Source] Browsable linux kernel syscall tables built with Systrack Free
LOFLCAB [Website] [Source] Living off the Foreign Land Cmdlets and Binaries; curated list of cmdlets and binaries that are capable of performing activities from the local Windows system to a remote system Free
LOLAPPS [Website] [Source] Living Off The Land Applications; curated list of applications that have been used & abused for adversarial gain Free
LOLBAS [Website] [Source] Living Off The Land Binaries and Scripts; curated list/cheatsheet of Windows binaries that can be exploited by an attacker to bypass local security restrictions, obtain shells, read files Free
LOLDrivers [Website] [Source] Living Off The Land Drivers; curated list of Windows drivers used by adversaries to bypass security controls and carry out attacks Free
LOLOL [Website] Living Off the Living Off the Land; collection of curated list/cheatsheet of commands and other resources that can be abused or allow security bypass on various environments Free
LOOBins [Website] [Source] Living Off the Orchard macOS Binaries; curated list/cheatsheet of macOS binaries that can be exploited by an attacker for malicious purpose Free
LOTHardware [Website] Living Off The Hardware; curated list of guidance for offensive hardware and offensive devices Free
LOTS [Website] Living Off Trusted Sites; curated list of popular legitimate domains used by attackers to conduct phishing, C&C, exfiltration and downloading tools to evade detection Free
MalAPI [Website] Maps Windows APIs to common techniques used by malware Free
Malware Traffic Analysis [Website] Malware traffic analysis blog and pastebin posts with pcap and malware samples attached; traffic analysis exercises Free
MD5 maxmin record [Website] Collection of various extremes of MD5 hashes Free
MDN - Event reference [Website] DOM Events reference, useful for XSS Free
MichMich [Website] Personal pentest notes and cheat sheets Free
Microsoft Wont-Fix-List [Source] List of vulnerabilities or design flaws Microsoft does not intend to fix Free
NetSPI SQL Injection Wiki [Website] [Source] A wiki knowledge base focused on SQL injection for various DBMS Free
Packet Storm [Website] Exploit index and security news Free
Payloads All The Things [Website] [Source] A list of useful payloads and bypass for Web Application Security and Pentest/CTF Free
Pentesting Azure Mindmap [Source] Mindmap to get the Global Admin access for Azure penetration tests Free
persistence-info [Website] [Source] Curated list of techniques to gain Windows persistence Free
Portswigger - XSS cheat sheet [Website] XSS cheat sheet containing many vectors that can help bypassing WAFs and filters Free
Priv2Admin [Source] Exploitation paths allowing to use the Windows Privileges to elevate rights within the OS Free
Privacy Tools [Website] [Source] Website that provides knowledge and tools to protect your privacy against global mass surveillance Free
Probable Wordlists [Source] Password lists sorted by probability originally created for password generation and testing Free
PTES [Website] The penetration testing execution standard covers all steps related to a penetration test Free
Red Teaming Tactics and Techniques [Website] [Source] Exploring Red Teaming tactics and techniques, some of the common offensive security techniques involving gaining code execution, lateral movement, persistence and more Free
Red Teaming and Malware Analysis [Website] Notes on red teaming, pentest and malware analysis Free
RubyFu [Website] [Source] Offensive Ruby book Free
SecLists [Source] Collection of multiple types of lists used during security assessments, collected in one place; include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, etc. Free
Security Certification Roadmap [Website] [Source] Map referencing all security certifications existing in several categories: Implementation, Architecture, Management, Analysis, Defensive Operations, Offensive Operations Free
Sploitus [Website] Exploit search engine (PacketStorm, Exploit-DB, 0day.today, etc.) and tools search engine (KitPloit) Free
SSH Hardening Guides [Website] Guides to hardening SSH on various systems Free
SSL Checklist for Pentesters (Explore Security) [Website] List of SSL/TLS checks that can be performed manually with OpenSSL or a web browser Free
StegOnline checklist [Website] [Source] CTF Image Steganography Checklist Free
The Bug Hunter's Methodology [Source] A collection of tips, tricks, tools, analysis and notes related to web application security assessments and more specifically towards bug hunting in bug bounties Free
The Hacker Recipes [Website] Guide and knowledge base for pentesting: active directory services, servers, web services, intelligence gathering, physical intrusion, social engineering, phishing, mobile apps Free
The Hacking Tool Trove [Website] THTT; tools cheat sheets, tools command examples, tools references Free
TIBER-EU [Website] European framework for threat intelligence-based ethical red-teaming Free
Unprotect [Website] Database of information about malware evasion techniques Free
Vergilius [Website] A collection of Microsoft Windows kernel structures, unions and enumerations; most of them are not officially documented and cannot be found in Windows Driver Kit (WDK) headers Free
VOID [Website] Verica Open Incident Database; community-contributed collection of software-related incident reports Free
VRT [Website] [Source] Bugcrowd Vulnerability Rating Taxonomy (VRT) provides a baseline vulnerability priority scale for bug hunters and organizations Free
vx-underground [Website] Collection of malware source code, samples, and papers Free
WADComs [Website] [Source] Interactive cheat sheet, containing a curated list of offensive security tools and their respective commands, to be used against Windows/AD environments Free
WEAKPASS [Website] Index of wordlists for brute-force attacks Free
Windows & Active Directory Exploitation Cheat Sheet and Command Reference [Website] Windows & Active Directory exploitation: enumeration, exploitation, lateral movement, privilege escalation, persistence, domain persistence, post-exploitation Free
WTFBins [Website] [Source] Curated list of legitimate binaries that behaves exactly like malware Free
XSS Payloads [Website] Provides advanced XSS payload, tools and documentation about XSS Free

National security agencies and services

Name Country Website Source Description
ANSSI France [Website] Agence Nationale de la Sécurité des Systèmes d'Information, French service responsible for computer security
ASD Australia [Website] Australian Signals Directorate, Australian service responsible for computer security
CCB Belgium [Website] Centre for Cyber Security Belgium, Belgium service responsible for computer security
CNSS United States of America [Website] Committee on National Security Systems, USA intergovernmental organization for the security of the USA security systems
CSE/CST Canada [Website] Communications Security Establishment/Centre de la sécurité des télécommunications, Canadian service responsible for computer security
ENISA [Website] European Network and Information Security Agency, European Union service responsible for computer security
NCSC Great Britain [Website] National Cyber Security Center, United Kingdom service responsible for computer security
NIST United States of America [Website] National Institute of Standards and Technology, Metrology laboratory and non-regulatory agency of the USA Department of Commerce
NSA United States of America [Website] National Security Agency, United States of America service responsible for computer security

Non english

Name Language Website Source Description Price
Bamboofox Chinese [Website] CTF guide Free
CERT.pl challenges Polish [Website] Prequals challenge of the Polish CTF team for ECW Free
ctfs.me Indonesian [Website] Challenges platform, challenges are in english Free
elhacker.net Spanish [Website] Challenges platform Free
Flu-Project Spanish [Website] Challenge platform, guides and news Free
Hack Players Spanish [Website] Challenge platform, guides and news Free
Hacking-Challenges German [Website] Challenges platform Free
Happy-Security German [Website] Challenges platform Free
MIPT CTF Russian [Source] CTF guide Free
NewbieContest French [Website] Challenge platform Free
NOE Korean [Website] Challenge platform Free
SuNiNaTaS Korean [Website] Challenge platform Free
TDHack Polish [Website] Challenge platform Free
TheBlackSide French [Website] Challenge platform Free
Tower CTF French [Website] Challenge platform Free
World of Wargame Spanish [Website] Challenge platform Free
XCTF Agenda Chinese [Website] World CTF agenda Free
Yashira Spanish [Website] Challenge platform Free

Trainings and courses

Name Website Source Description Price
API Security Academy [Website] [Source] Platform dedicated to understand and secure GraphQL applications Free
Bugcrowd University [Website] [Source] Modules with slides, videos and sometimes labs to learn web security, by Bugcrowd Free
Cybrary [Website] Cyber Security learning, training and certification Paid
flAWS [Website] Learn about common mistakes and gotchas when using Amazon Web Services (AWS) from an offensive perspective Free
flAWS 2 [Website] Learn about common mistakes and gotchas when using Amazon Web Services (AWS) from an offensive and defensive perspective Free
Hacker101 [Website] [Source] Class for web security targeting bug bounty hunters and security professionals, with video lessons and a CTF platform, by HackerOne Free
Hextree [Website] Hacking courses platform organized as micro learning Paid
ITonlinelearning [Website] Training provider who offers certified online courses in IT, cyber security, and ethical hacking (CompTIA and EC-Council) Paid
OWASP Vulnerable Web Applications Directory [Website] [Source] Comprehensive and registry of all known vulnerable web applications currently available Free
PentestAcademy [Website] Cyber Security training with an online lab Paid
PentesterLab [Website] Pentest lab with exercises and videos: Unix, PCAP, HTTP, Code review, serialization, JWT, real vulnerabilities, GraphQL, common web vulnerabilities, MiTM, authentication (oAuth, SAML), Android, recon, advanced attacks, API, etc. Paid
Portswigger Web Security Academy [Website] Web Security training with an online lab Free
Pwned Labs [Website] Cloud security labs Paid
SANS [Website] Escal Institute of Advanced Technologies provides courses, certifications and learning materials Paid
Virtual Hacking Labs [Website] Pentest lab Paid


Name Website Source Description Price
Cobalt - Getting Started with Android Application Security [Website] Tutorial covering Android core, application components, security testing, testing environment, adb usage, bypassing SSL pinning, reverse engineering APK Free
CTF Field Guide [Website] [Source] CTF guide Free
CTF Resources [Website] [Source] CTF guide Free
Infosec Institute - What a Challenger Perceives in most CTF Categories/Challenges [Website] Questions a challenger can ask himself during a CTF, classed by category Free
ISIS Lab Wiki [Website] CTF guide Free
Endgame - How to Get Started in CTF [Website] Tutorial for CTF beginners Free
NIZKCTF tutorial [Source] Tutorial to set up NIZKCTF Free
Xapax IT-Security Notebook [Website] [Source] Overview guide for all kind of pentesting Free

Writeups collections and challenges source