16 free or open source security and incident response tools to try in 2023

By

Incident response is at the heart of what security teams do. It is a term to describe the process by which an organization will mitigate (respond to) a cyber attack (incident). Incident response teams must keep track of cyber assets, discover and patch vulnerabilities, and prioritize hundreds of daily alerts in order to protect the organization against a deluge of potential breaches. Easy, right? 

Not so much. 

Most security practitioners would rather get on with the work of protecting what matters, and spend less time on evaluating vendors and tools. That’s why free and open source resources are so popular in the security community - you can get started using a tool before investing in a paid version and see the impact right away.

Which incident response tools do you need? 

It’s easy to get overwhelmed when trying to understand the cybersecurity tooling landscape. That’s why Sounil Yu, JupiterOne’s CISO, created The Cyber Defense Matrix. You can download a copy of the book for free, here, but if you’re already familiar with this model, you can see the tools we’ve chosen to highlight mapped out on the matrix below. 

“Consider the exhibit hall at any major security conference. The cacophony of claims from vendors hawking their wares, the confusing language of their marketecture, and the lack of any semblance of organization offer us no help to understand what we need or where to find it… understanding the cybersecurity landscape [is] daunting even for the experienced practitioner.
The Cyber Defense Matrix was originally created to address this problem. It is an easy-to-memorize mental model that helps us navigate the cybersecurity grocery store to quickly find the capabilities that we need; compare and contrast features of similar products; and spot obvious gaps and deficiencies in our security posture.”
The Cyber Defense Matrix by Sounil Yu

Free or open source cybersecurity tools you can try today

JupiterOne

JupiterOne provides continuously updated cyber asset inventory and relational context. Discover, alert, and take action on rogue or vulnerable assets such as suspicious code commits, unmanaged devices, misconfigured data stores, and risky behavior in Bitbucket and GitHub pull requests. The free tier is available for up to ten integrations. 

Get Started

Starbase

Starbase collects assets and relationships from services and systems including cloud infrastructure, SaaS applications, security controls, and more into an intuitive graph view backed by the Neo4j database.

See Github

Sans Investigative Forensics  Toolkit (SIFT) Workstation

The SIFT Workstation is a collection of free and open-source incident response and forensic tools designed to perform detailed digital forensic examinations in a variety of settings. SIFT demonstrates that advanced incident response capabilities and deep-dive digital forensic techniques can be accomplished using cutting-edge open-source tools that are freely available and frequently updated.

Learn More

GRR Rapid Response

GRR Rapid Response is an incident response framework focused on remote live forensics. GRR server infrastructure consists of several components (frontends, workers, UI servers, fleetspeak) and provides a web-based graphical user interface and an API endpoint that allows analysts to schedule actions on clients and view and process collected data.

Learn More 

AlienVault

AlienVault® OSSIM™ is an open-source security information and event management (SIEM) that includes event collection, normalization, and correlation. 

Learn More

Volatility

This popular memory forensics framework provides data on network connections, processes that are running, process IDs, and more—and exports that data to a text file. Volatility development is now supported by The Volatility Foundation, an independent 501(c) (3) non-profit organization.

Learn More 

TheHive Project

TheHive Project is a free open-source IR platform that allows multiple analysts to work simultaneously on incident investigations. It gives analysts the ability to set up notifications for new task assignments and to preview new events and alerts with multiple sources, such as email digests and SIEM alerts. Built-in templates allow analysts to gain key insights and identify the right measures to take for faster remediation.

Learn More 

Snort

Snort is an Open Source Intrusion Prevention System (IPS). Snort IPS uses a series of rules that help define malicious network activity and uses those rules to find packets that match against them and generates alerts for users.

Learn More

Zeek

Zeek is an open source network security monitoring tool. Zeek interprets what it sees and creates compact, high-fidelity transaction logs, file content, and fully customized output, suitable for manual review on disk or in a more analyst-friendly tool like a security and information event management (SIEM) system.

Learn More

OSSEC

OSSEC is an open source Host-based Intrusion Detection System (HIDS). It integrates log analysis, file integrity monitoring, Windows registry monitoring, centralized policy enforcement, rootkit detection, real-time alerting and active response. It runs on most operating systems, including Linux, OpenBSD, FreeBSD, MacOS, Solaris and Windows.

Learn More

OpenVAS

OpenVAS is an open source vulnerability scanner. Its capabilities include unauthenticated and authenticated testing, various high-level and low-level internet and industrial protocols, performance tuning for large-scale scans and a powerful internal programming language to implement any type of vulnerability test.

Learn More 

IPFire

IPFire is an open source firewall solution. IPFire is built from scratch and not based on any other distribution. This allows the developers to harden IPFire better than any other server operating system and build all components specifically for use as a firewall.

Learn More 

OCS Inventory

Open computers and software inventory is an open source asset management solution. It allows you to scan and inventory all your devices in your IT Department. Once you know everything about your machines, on hardware and software sides, you can deploy packages to keep your environment safe.

Learn More

AlienVault OTX 

The Alien Labs® Open Threat Exchange® (OTX™) is an open threat intelligence community. It now has more than 100,000 participants in 140 countries, who contribute over 19 million threat indicators daily. 

Learn More

Sleuthkit

The Sleuth Kit® is a collection of command line tools and a C library that allows you to analyze disk images and recover files from them. It is used behind the scenes in Autopsy and many other open source and commercial forensics tools.

Learn More

Opsi (Open PC Server Integration)

Opsi is an open source client management system to manage heterogeneous environments. It enables the deployment and configuration from OS's and software on Windows and Linux computers. 

Learn More

Building a security program that works 

At JupiterOne, we believe there are five questions at the heart of every effective incident response program: what do I have, what is important, does anything have a problem, who can fix it, and are we getting better?

To answer these questions, you need a cyber asset management platform that connects the dots across all of your assets - physical and ephemeral. This is not merely an asset inventory function; it is the core of effective incident response.

To try this approach for yourself, get started with a free JupiterOne account today. Connect your core systems for instant, near-real-time insights into your environment. 

New call-to-action
Sarah Hartland
Sarah Hartland

Sarah is the Senior Demand Generation Manager at JupiterOne. She has been a content creator and curator since 2012, with experience in the media, adtech, and cybersecurity industries. Sarah is passionate about making technical concepts accessible for all.

Keep Reading

The top 10 questions that every engineering leader should be able to answer
February 2, 2023
Blog
The top 10 questions that every engineering leader should be able to answer

We polled some of our engineering leaders to see what it takes to succeed. In part two, we see if their answers align with the CISOs we talked to.

Identify compromised versions of Github using JupiterOne
January 31, 2023
Blog
Identify compromised versions of GitHub apps using JupiterOne

As a preventative measure, Github will be deprecating the Mac and Windows signing certificates used to sign Desktop app versions 3.0.2-3.1.2 and Atom versions 1.63.0-

The top 11 questions that every CISO should be able to answer
January 30, 2023
Blog
The top 11 questions that every CISO should be able to answer

In part one of this two-part series, we polled some of our top security experts to see what it takes to succeed secure and manage resources effectively.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.