OSINT Resources

Understanding OSINT

Security and Awareness	Business and Professional
Website & Domain Reputation Checks	Advanced Threat Intelligence & Feeds
IP Address & Network Security Assessment	Network & Infrastructure Exposure Tools
Dark Web & Data Breach Monitoring	Credential & Metadata Analysis Tools
Public Wi-Fi & Network Security Checks	Forensic Collection & Technical Enrichment Tools
Threat Intelligence & Cybersecurity News	Threat Actor & Campaign Tracking Tools
Cybersecurity Awareness & Personal Safety Checks	Supply Chain & Vendor Risk Monitoring
Child-Friendly Search Engines	Email & Domain Security Analysis

Website & Domain Reputation Checks

This category focuses on tools that help you determine whether a website is safe to visit. From detecting phishing pages to uncovering blacklisted domains, these tools are a first line of defense when evaluating links. Both individuals and cybersecurity professionals rely on reputation checkers to avoid malware infections, fraud, and suspicious redirects.

VirusTotal

• Purpose: Quickly check if a website link or file contains malware or is flagged as suspicious.
• Description: VirusTotal aggregates results from multiple antivirus engines and URL scanners to assess the safety of a link or file. It’s one of the most widely used tools for initial threat assessments.
• Best Used For: Before opening a suspicious email link or downloading a file you’re unsure about.
• Cyber 12 Tip: Always verify links before clicking-especially in emails, texts, or social media messages. Use VirusTotal in combination with browser extensions or before launching tools during recon or research.
• Try it here: https://www.virustotal.com/

URLVoid

• Purpose: Check if a domain is associated with phishing or malware.
• Description: URLVoid uses multiple blacklist engines and WHOIS data to analyze the reputation of websites and domains.
• Best Used For: When you want a second opinion about an unfamiliar or suspicious website.
• Cyber 12 Tip: Double-check shortened or disguised URLs using preview features before clicking. Use URLVoid to document domain reputation in the early phases of threat intel gathering.
• Try it here: https://www.urlvoid.com/

Google Safe Browsing

• Purpose: Quickly check if a site has been flagged as deceptive or dangerous by Google.
• Description: Google Safe Browsing maintains a database of URLs associated with malware and phishing.
• Best Used For: When you need fast confirmation about a suspicious link from a trusted source.
• Cyber 12 Tip: Avoid sites that show ‘deceptive site ahead’ warnings in your browser. Integrate Google Safe Browsing API for automated domain safety checks.
• Try it here: https://transparencyreport.google.com/safe-browsing/search

 

IP Address & Network Security Assessment

This category focuses on tools that assess the safety and behavior of IP addresses and networks. Whether you’re checking for blacklisted IPs, exposed devices, or suspicious network activity, these tools help users—both technical and non-technical—understand potential threats from the digital infrastructure side. They are especially useful when dealing with public Wi-Fi, unusual system logs, or unknown connections.

Shodan

• Purpose: Search for internet-connected devices and their vulnerabilities.
• Description: Shodan is a search engine that indexes devices connected to the internet—including servers, cameras, routers, and IoT devices—exposing open ports, services, and security risks.
• Best Used For: Investigating open ports and services on publicly accessible systems.
• Cyber 12 Tip: Never connect to unsecured IoT devices or use default passwords—Shodan can show how visible your own devices are. Use Shodan to map exposed infrastructure during recon or vulnerability assessments.
• Try it here: https://www.shodan.io

Censys

• Purpose: Monitor and discover internet-facing assets with known weaknesses.
• Description: Censys scans the entire internet regularly and lets you query devices, certificates, and services for exposure, misconfiguration, or outdated software.
• Best Used For: Proactively identifying what your organization (or client) is exposing to the internet.
• Cyber 12 Tip: Make sure public-facing assets like RDP or databases are locked down and updated. Combine Censys results with Nmap to verify exposure manually and generate deeper reports.
• Try it here: https://censys.io

IPVoid

• Purpose: Check if an IP address is blacklisted or associated with malicious activity.
• Description: IPVoid queries multiple reputation engines to determine if an IP has been flagged for spam, malware, or other abuse.
• Best Used For: Screening strange IP addresses in logs, emails, or firewall alerts.
• Cyber 12 Tip: If you find a suspicious IP accessing your network repeatedly, block it and investigate further. Use IPVoid to complement AbuseIPDB and enrich your threat investigation notes.
• Try it here: https://www.ipvoid.com

AbuseIPDB

• Purpose: Investigate suspicious IPs and report abusive activity.
• Description: AbuseIPDB crowdsources reports from security professionals and users to help track brute force attacks, spam sources, and other harmful behavior tied to IPs.
• Best Used For: Checking and reporting repeated intrusions, port scans, or login attempts.
• Cyber 12 Tip: Use this tool to verify if others have flagged the same IP you’re concerned about. Contribute your own logs or firewall data to help the security community stay updated.
• Try it here: https://www.abuseipdb.com

 

Dark Web & Data Breach Monitoring

This category helps users uncover whether their personal or organizational data has been exposed through data breaches or leaked onto the dark web. These tools allow both cybersecurity professionals and non-technical users to search for stolen credentials, monitor sensitive data, and take proactive steps after exposure.

Have I Been Pwned

• Purpose: Check if your email, username, or password has been leaked in a known data breach.
• Description: Have I Been Pwned is a free service that scans breached databases to identify if your personal data has been compromised in public breaches.
• Best Used For: Monitoring your primary email address and setting breach alerts.
• Cyber 12 Tip: If your credentials appear in a breach, change your passwords immediately and enable 2FA. Use HIBP to support awareness training and highlight the risk of password reuse during briefings or simulations.
• Try it here: https://haveibeenpwned.com

DeHashed

• Purpose: Search for leaked information including usernames, passwords, email addresses, phone numbers, and IPs.
• Description: DeHashed is a breach search engine that aggregates leaked databases and allows for broad identity exposure analysis. It can even track company leaks and developer credentials.
• Best Used For: Investigating the scope of a breach affecting your organization or persona.
• Cyber 12 Tip: Always use a VPN when using OSINT tools that explore breach data—don’t search on open Wi-Fi. DeHashed is powerful but limited without an account—leverage its metadata for high-level risk assessment.
• Try it here: https://www.dehashed.com

Intelligence X

• Purpose: Search breached and leaked data on the clear web and dark web.
• Description: Intelligence X is a versatile search engine that indexes content from pastebins, darknet marketplaces, and public archives—including domains, IPs, emails, and leaked documents.
• Best Used For: Advanced research into threat actor data dumps and leaked credentials.
• Cyber 12 Tip: Never attempt to download leaked files from dark web locations—use platforms like Intelligence X that sanitize content. Great for use in digital forensics scenarios when investigating ransomware-related data exposure.
• Try it here: https://intelx.io

DarkTracer

• Purpose: Track cybercriminal group activity, dark web leaks, and credential exposure.
• Description: DarkTracer is a commercial cyber threat intelligence platform that monitors dark web forums, marketplaces, and extortion leaks in real time.
• Best Used For: Threat tracking, victim notification, and breach intel enrichment.
• Cyber 12 Tip: Stay within legal OSINT tools—don’t attempt direct dark web access without protection and training. Use DarkTracer reports to analyze trends in threat group behavior and ransomware targets.
• Try it here: https://darktracer.com

 

Public Wi-Fi & Network Security Checks

Public and shared Wi-Fi networks can expose users to significant security risks, including device snooping, data interception, and man-in-the-middle attacks. This category includes tools that help assess the safety of local networks, identify unauthorized devices, and alert users to insecure access points. It’s essential for anyone working remotely, traveling, or connecting outside of a secured home or enterprise network.

WiGLE

• Purpose: Map and analyze Wi-Fi networks by signal strength, encryption type, and physical location.
• Description: WiGLE crowdsources global Wi-Fi data, displaying access point locations and identifying whether networks are open, secured, or potentially suspicious.
• Best Used For: Assessing whether a public Wi-Fi network is encrypted and trustworthy.
• Cyber 12 Tip: Avoid connecting to Wi-Fi networks without passwords or that use WEP encryption—it’s outdated and easily broken. Use WiGLE during security audits to locate unsecured or rogue access points.
• Try it here: https://wigle.net

Fing

• Purpose: Scan local networks for connected devices and unusual behavior.
• Description: Fing is a mobile and desktop app that displays every device connected to a Wi-Fi network, including IP/MAC addresses and device types. It alerts you when unknown users connect.
• Best Used For: Identifying unauthorized devices on your home or public network.
• Cyber 12 Tip: Regularly scan your network to ensure unfamiliar devices aren’t piggybacking on your bandwidth or data. Fing is great for hands-on demonstrations in community cybersecurity training sessions.
• Try it here: https://www.fing.com

Netcraft

• Purpose: Detect phishing websites, malicious hosting providers, and insecure service configurations.
• Description: Netcraft provides threat intelligence around internet infrastructure and analyzes domain reputation, SSL issues, and service vulnerabilities.
• Best Used For: Checking if a site or hosting service you’re connecting to is secure and trustworthy.
• Cyber 12 Tip: Don’t log into personal or financial accounts over public Wi-Fi unless you’re using a VPN. Use Netcraft with domain lookups during incident response to evaluate phishing threats.
• Try it here: https://www.netcraft.com

 

Threat Intelligence & Cybersecurity News

Staying informed about emerging cyber threats is key to maintaining both personal and organizational security. This category highlights tools and platforms that deliver real-time threat intelligence, malware indicators, and cybersecurity news. These resources are valuable for anyone looking to stay ahead of scams, vulnerabilities, and active threat actors.

AlienVault OTX

• Purpose: Access community-powered threat intelligence including Indicators of Compromise (IoCs).
• Description: Open Threat Exchange (OTX) allows users to view, create, and collaborate on threat indicators such as malicious IPs, domains, malware hashes, and attack signatures.
• Best Used For: Tracking threat activity, enriching incident response data, and monitoring suspicious domains.
• Cyber 12 Tip: When using OTX data, always validate IoCs with additional tools like VirusTotal or Shodan. Follow Pulse authors and automate threat feed pulls to integrate OTX into your SIEM workflow.
• Try it here: https://otx.alienvault.com

BleepingComputer

• Purpose: Stay up to date on malware outbreaks, cybersecurity vulnerabilities, and data breach reports.
• Description: BleepingComputer is a respected news outlet that covers real-world attacks, ransomware trends, patch releases, and threat actor tactics.
• Best Used For: Daily monitoring of global cyber events and high-profile vulnerabilities.
• Cyber 12 Tip: Use trusted news sources to verify breach claims or alert messages you receive via email or social media. Great source for use in tabletop exercises or class discussions—refer to real case studies in awareness training.
• Try it here: https://www.bleepingcomputer.com

ThreatPost

• Purpose: Report on vulnerabilities, exploit disclosures, and cybersecurity trends.
• Description: ThreatPost is a cybersecurity news platform that delivers timely updates on zero-day threats, government warnings, and exploit kits.
• Best Used For: Keeping security teams and professionals aware of current threat activity and patch advisories.
• Cyber 12 Tip: Use news articles to prompt regular software updates and internal system audits. Include ThreatPost articles in executive briefings to support awareness and risk communication.
• Try it here: https://threatpost.com

 

Cybersecurity Awareness & Personal Safety Checks

This category is designed to empower users with greater control over their digital footprint. The tools featured here help individuals assess how their browsers, devices, and habits are being tracked online. These tools are perfect for raising awareness, teaching privacy fundamentals, and improving personal online safety—especially in workshops and training environments. Expanded here are tools that go beyond assessment and into action, enabling safer browsing, smarter searching, and more secure digital habits.

Am I Unique?

• Purpose: Evaluate your browser’s fingerprint and how unique it is online.
• Description: This tool checks how much identifiable information your browser leaks through fonts, plugins, system time, and headers—factors used for cross-site tracking.
• Best Used For: Discovering how easily you can be tracked across the web without cookies.
• Cyber 12 Tip: Use privacy-respecting browsers like Brave or Firefox with hardened settings. Excellent live demo for training sessions on how “invisible tracking” really works.
• Try it here: https://amiunique.org

Cover Your Tracks

• Purpose: Analyze your browser’s resistance to tracking and fingerprinting.
• Description: Created by the Electronic Frontier Foundation (EFF), this tool tests your browser’s unique fingerprint and explains the results clearly.
• Best Used For: Evaluating how much data websites can collect about your system setup.
• Cyber 12 Tip: Turn off third-party cookies and reduce browser extensions to lower your tracking surface. Use Cover Your Tracks as a before/after test when teaching people how to improve browser privacy.
• Try it here: https://coveryourtracks.eff.org

PrivacyTools.io

• Purpose: Recommend software and settings for better online privacy.
• Description: PrivacyTools is a curated directory of privacy-respecting apps, browsers, search engines, password managers, and VPNs.
• Best Used For: Learning how to replace everyday tech with secure alternatives.
• Cyber 12 Tip: Use a password manager, encrypted messaging, and secure DNS as your baseline privacy toolkit. Include this resource in onboarding materials or community handouts, especially for non-tech audiences.
• Try it here: https://www.privacytools.io

DuckDuckGo Privacy Essentials

• Purpose: Block trackers and enforce HTTPS while using a privacy-first search engine.
• Description: DuckDuckGo offers a browser extension and mobile app that upgrades site connections and blocks hidden third-party trackers, with zero tracking search functionality.
• Best Used For: Day-to-day private searching and browsing with enhanced protection.
• Cyber 12 Tip: Make DuckDuckGo your default search engine on all devices for continuous protection. A great bridge tool for everyday users transitioning from Google without losing functionality.
• Try it here: https://duckduckgo.com/app

Mozilla Firefox (with Enhanced Tracking Protection)

• Purpose: Provide a secure, privacy-focused browser with built-in tracker blocking.
• Description: Firefox automatically blocks third-party trackers, fingerprinting scripts, and crypto miners while giving users complete control over privacy settings.
• Best Used For: Safer web browsing, especially when handling sensitive information or using public networks.
• Cyber 12 Tip: Enable “Strict” privacy mode and pair with add-ons like uBlock Origin and HTTPS Everywhere. Firefox is an ideal browser for educational labs and privacy boot camps—configurable and trusted.
• Try it here: https://www.mozilla.org/en-US/firefox/new

Jumbo Privacy (Mobile App)

• Purpose: Manage online privacy across social media and Google accounts from your phone.
• Description: Jumbo scans your digital footprint to clean old tweets, revoke app permissions, and adjust privacy settings on major platforms like Facebook, Google, and LinkedIn.
• Best Used For: People who want to improve privacy but don’t know where to start, especially on mobile.
• Cyber 12 Tip: Run monthly privacy scans and remove unused app permissions regularly. Recommend Jumbo in beginner sessions for hands-on privacy hygiene training.
• Try it here: https://www.jumboprivacy.com

 

Child-Friendly Search Engines

Children are some of the most vulnerable users online. They need safe, filtered environments that allow them to explore, learn, and grow without being exposed to adult content, misinformation, or online predators. These child-friendly search engines prioritize safety, education, and ease of use. Whether you’re a parent, educator, or community leader, these tools are essential for fostering a healthy digital start for young users.

Kiddle

• Purpose: Offer Google-powered search results with strict safety filters.
• Description: Kiddle returns kid-appropriate results with big thumbnails and simple explanations, prioritizing sites written for children or filtered by editors.
• Best Used For: General searching for school topics, animals, space, and fun facts.
• Cyber 12 Tip: Bookmark Kiddle as the default browser home page on devices used by kids. Great visual search tool to demo during internet safety workshops for families.
• Try it here: https://www.kiddle.co

Fact Monster

• Purpose: Provide safe, educational information for kids in one place.
• Description: Fact Monster combines an encyclopedia, dictionary, thesaurus, and learning games with curated articles and fun facts.
• Best Used For: Homework help, research, and independent exploration.
• Cyber 12 Tip: Use Fact Monster for take-home assignments to limit Googling on unfiltered browsers. Include in school-safe resource guides or handouts for caregivers.
• Try it here: https://www.factmonster.com

KidRex

• Purpose: Kid-friendly search engine with a fun, crayon-style interface.
• Description: Powered by Google Custom Search, KidRex filters inappropriate content and displays results with kid-friendly language and themes.
• Best Used For: Early readers and elementary-age kids who enjoy colorful, simplified designs.
• Cyber 12 Tip: While effective, KidRex sometimes experiences outages—have a backup option ready. Reinforce safe searching with visual prompts—KidRex is a great hands-on activity starter.
• Try it here: http://www.kidrex.org

Kid’s Search

• Purpose: Deliver safe search capabilities in a visually engaging format.
• Description: Kid’s Search is designed for educational fun and uses strict filtering with easy-to-navigate categories like science, animals, and world facts.
• Best Used For: Structured topic exploration and library or classroom use.
• Cyber 12 Tip: Use this engine during supervised sessions to introduce safe online browsing habits. Teachers can use this as a base station for digital scavenger hunts or quizzes.
• Try it here: https://kidssearch.com

Kidtopia

• Purpose: Provide a child-safe search engine curated by teachers.
• Description: Kidtopia features results selected by educators and librarians, including videos, games, and links to educational websites.
• Best Used For: Trusted, vetted content during research projects.
• Cyber 12 Tip: Keep Kidtopia as the preferred choice on classroom desktops or library computers. Reinforce digital literacy by encouraging students to cite sources found on Kidtopia.
• Try it here: http://www.kidtopia.info

KidzSearch

• Purpose: Safe search engine that mimics the Google experience for kids.
• Description: KidzSearch uses Google SafeSearch and additional filtering to present kid-appropriate content in a layout similar to Google’s, helping with digital transition later.
• Best Used For: Students transitioning from elementary to middle school.
• Cyber 12 Tip: Parents can install the KidzSearch browser for added controls and filtering. Demonstrate it alongside Google to show the difference between filtered and unfiltered search.
• Try it here: https://www.kidzsearch.com

Topmarks

• Purpose: Support learning with safe, interactive educational tools and games.
• Description: UK-based site offering resources for teachers and students in early childhood through secondary school, including activities by subject and age group.
• Best Used For: Reinforcing classroom learning with gamified content.
• Cyber 12 Tip: Limit unsupervised game time by setting timers on Topmarks-based activities. Use Topmarks in blended learning or enrichment stations.
• Try it here: https://www.topmarks.co.uk

WackySafe

• Purpose: Provide a full web browser and search engine for kids.
• Description: WackySafe offers its own kid-focused browser with built-in safe search, parental controls, and fun themes.
• Best Used For: Creating a walled-garden internet experience for younger users.
• Cyber 12 Tip: Install WackySafe on shared family computers for peace of mind. Promote WackySafe as part of a home digital safety starter kit.
• Try it here: https://wackysafe.com

 

Advanced Threat Intelligence & Feeds

Tailored for cybersecurity practitioners, SOC analysts, red teamers, and students ready to level up, this category focuses on tools that provide structured, real-time cyber threat intelligence. These resources help professionals monitor malicious infrastructure, track Indicators of Compromise (IoCs), follow threat actor TTPs (Tactics, Techniques, and Procedures), and integrate intel into SIEMs and threat-hunting workflows. They’re ideal for anyone working in incident response, SOC analysis, threat hunting, or red teaming.

Abuse.ch Threat Intelligence Feeds

• Purpose: Provide real-time, community-driven feeds on malware infrastructure and botnets.
• Description: Abuse.ch runs multiple threat feeds focused on malware families like TrickBot, IcedID, QakBot, and ransomware C2 servers. Feeds are simple, API-friendly, and easy to automate.
• Best Used For: Integrating with SIEMs, firewalls, or threat intel platforms.
• Cyber 12 Tip: Only consume the feeds—don’t interact directly with listed IPs or URLs. Use Abuse.ch in blue team lab exercises to simulate detection and blocking scenarios.
• Try it here: https://abuse.ch

MISP (Malware Information Sharing Platform)

• Purpose: Share, correlate, and enrich threat intel with automation.
• Description: MISP is an open-source platform for storing, analyzing, and sharing structured threat intelligence. Supports STIX, TAXII, and collaboration across teams or organizations.
• Best Used For: Creating and sharing IoC collections, incident timelines, and community alerts.
• Cyber 12 Tip: Ensure your MISP instance is securely hosted and access controlled. Use MISP to practice structuring incident response data and developing custom threat feeds.
• Try it here: https://www.misp-project.org

OpenCTI (Open Cyber Threat Intelligence)

• Purpose: Organize, visualize, and automate threat intel operations.
• Description: OpenCTI is a modern threat intel platform that allows you to map TTPs, actors, campaigns, and vulnerabilities in an interactive, scalable environment.
• Best Used For: Building and managing your organization’s threat knowledge base.
• Cyber 12 Tip: Connect OpenCTI to trusted sources only—avoid unvetted external feeds. Use OpenCTI for executive briefings—its visual graphs help non-tech leaders understand threats.
• Try it here: https://www.opencti.io

 

Network & Infrastructure Exposure Tools

A must-have section for professionals working in threat detection, attack surface management, penetration testing, and red teaming, this category includes tools that uncover how your systems, servers, and devices appear to the outside world. These resources are often used by attackers—and defenders—to identify exposed ports, outdated services, vulnerable software, and misconfigured devices. They’re critical for asset discovery, vulnerability mapping, and pre-attack reconnaissance.

Shodan

• Purpose: Discover exposed internet-connected devices and their services.
• Description: Shodan scans the entire internet and indexes connected devices (routers, cameras, SCADA systems, etc.) by IP, open ports, software version, and more.
• Best Used For: Mapping your organization’s attack surface and identifying rogue or outdated assets.
• Cyber 12 Tip: Set up alerts to notify you when new assets appear on the public internet. Use Shodan during red team scenarios to simulate attacker reconnaissance.
• Try it here: https://www.shodan.io

Censys

• Purpose: Analyze your digital footprint and monitor cloud asset exposure.
• Description: Censys provides real-time visibility into certificates, open ports, services, and misconfigurations by scanning the internet daily. It excels in infrastructure discovery and certificate transparency.
• Best Used For: Compliance audits, cloud security validation, and proactive infrastructure defense.
• Cyber 12 Tip: Register for a free account to access expanded search capabilities and historical data. Combine with WHOIS and passive DNS lookups to build enriched asset profiles.
• Try it here: https://censys.io

Spyse (now integrated into SecurityTrails)

• Purpose: Conduct deep reconnaissance on internet infrastructure and organizational footprints.
• Description: Spyse indexed everything from open ports and subdomains to technologies, SSL certs, and DNS records. It’s now part of SecurityTrails—a powerful infrastructure intel platform.
• Best Used For: Recon during red team operations or company-wide exposure audits.
• Cyber 12 Tip: Don’t probe assets you don’t own or have permission to test—stick to passive OSINT. Use SecurityTrails or similar tools in conjunction with Shodan for a well-rounded asset inventory.
• Try it here: https://securitytrails.com

 

Credential & Metadata Analysis Tools

Designed for security analysts, digital forensics investigators, and red teams, this category includes tools used to find, verify, and investigate leaked login credentials, personal information, and document metadata. Credential leaks are often the root cause of cyber breaches, and metadata can reveal sensitive details like document authorship, edit history, GPS coordinates, and file creation dates. These tools are essential for breach investigation, OSINT enrichment, and red team discovery.

DeHashed

• Purpose: Search for leaked usernames, passwords, emails, phone numbers, and IPs across breached databases.
• Description: DeHashed is a robust breach search engine that goes beyond email-only lookups. It allows you to correlate multiple identifiers and discover patterns in compromised accounts.
• Best Used For: Breach response, threat hunting, or monitoring your organization’s exposure.
• Cyber 12 Tip: Never reuse passwords across platforms—if you find a match, change them immediately. Use DeHashed with other leak-checking tools to show the real-world damage of password reuse.
• Try it here: https://www.dehashed.com

ExifTool

• Purpose: Extract metadata from image, video, document, and archive files.
• Description: ExifTool is a command-line utility that reveals metadata embedded in files—like camera info, GPS data, timestamps, software versions, and user details.
• Best Used For: Digital forensics, tracking the origin of leaked content, or analyzing social media uploads.
• Cyber 12 Tip: Remove metadata before uploading media files to the internet, especially on public profiles. Show students how hidden data in photos can lead to doxxing or geolocation.
• Try it here: https://exiftool.org

EmailRep.io

• Purpose: Analyze the reputation of an email address using OSINT signals.
• Description: EmailRep uses behavioral, breach, domain, and social indicators to help determine if an email is risky or linked to malicious activity. You can query it via browser or API.
• Best Used For: Verifying suspicious sender emails or running passive checks during phishing investigations.
• Cyber 12 Tip: Use in combination with SPF/DKIM records and URL reputation checkers for full sender validation. Pair with phishing simulations or incident response reports to assess attacker recon tactics.
• Try it here: https://emailrep.io

 

Forensic Collection & Technical Enrichment Tools

Ideal for digital investigators, SOC analysts, and advanced cybersecurity professionals handling incident response, these tools are used to collect, preserve, and enrich digital evidence during a cybersecurity investigation. From memory dumps and disk images to passive DNS lookups and malware sandboxing, forensic tools help security professionals analyze events, correlate data, and build a timeline of compromise. This category supports post-incident review, technical attribution, and advanced OSINT enrichment.

Autopsy

• Purpose: Perform in-depth forensic analysis on hard drives, images, and devices.
• Description: Autopsy is an open-source digital forensics platform used to investigate deleted files, browser activity, registry logs, USB usage, and other artifacts. It supports disk imaging and timeline creation.
• Best Used For: Full forensic analysis of compromised machines or USBs.
• Cyber 12 Tip: Always conduct investigations on isolated systems—don’t analyze infected drives directly on your work machine. Use Autopsy to teach the fundamentals of digital forensics in incident simulations.
• Try it here: https://www.sleuthkit.org/autopsy

VirusTotal (for file and malware enrichment)

• Purpose: Analyze suspicious files, hashes, and domains for malware indicators.
• Description: VirusTotal provides multi-engine scanning and rich behavioral analysis for malware samples, registry artifacts, and payloads. It also tracks submission history and community insights.
• Best Used For: Triaging malware attachments or suspicious downloads during an investigation.
• Cyber 12 Tip: Never open suspected malware files on your own system—use sandboxed environments or rely on cloud analysis like VirusTotal. Excellent for teaching how threat analysts classify malware and investigate payloads.
• Try it here: https://www.virustotal.com

PassiveTotal (by RiskIQ)

• Purpose: Pivot through DNS, WHOIS, SSL, and historical infrastructure data.
• Description: PassiveTotal is a threat analysis platform that connects domains, IPs, registrants, and other infrastructure relationships using a rich historical database.
• Best Used For: Infrastructure attribution, subdomain discovery, and domain registration tracking.
• Cyber 12 Tip: Use passive lookups to minimize exposure while gathering intel. Pair PassiveTotal with Shodan/Censys for infrastructure correlation during red team operations.
• Try it here: https://community.riskiq.com

 

Threat Actor & Campaign Tracking Tools

Tracking known threat actors and their campaigns is a critical part of understanding attacker behavior. These tools help analysts follow TTPs (Tactics, Techniques, Procedures), attribution reports, and APT (Advanced Persistent Threat) group activity over time. They are invaluable for cyber threat intelligence, proactive defense planning, and executive reporting.

MITRE ATT&CK

• Purpose: Map attacker behaviors to known techniques and tactics.
• Description: MITRE ATT&CK is a globally used framework that documents adversary behaviors across the cyber kill chain.
• Best Used For: Red teaming, threat emulation, SOC tuning, and briefing executives.
• Safety Tip: Reference the technique ID (like T1059) in IR plans or detection rules.
• Cyber 12 Tip: Use ATT&CK Navigator to build visual heat maps during tabletop exercises.
• Try it here: https://attack.mitre.org

Malpedia

• Purpose: Research malware families and associated threat actors.
• Description: Malpedia offers a structured repository of malware definitions, samples, and links to known APT groups.
• Best Used For: Connecting malware artifacts to campaigns or threat groups.
• Safety Tip: Do not download or test malware samples unless you are in a secure sandbox environment.
• Cyber 12 Tip: Use Malpedia with VirusTotal to enrich IR reports and identify threat actor tools.
• Try it here: https://malpedia.caad.fkie.fraunhofer.de

APT Wiki (APT Groups & Operations Index)

• Purpose: View documented APT group activities, campaigns, and origin countries.
• Description: Maintained by the cybersecurity community, APT Wiki tracks threat actor names, aliases, campaign history, and known tools.
• Best Used For: Attribution, tracking activity trends, and cross-referencing IOC reports.
• Safety Tip: Be cautious of political interpretations—focus on the technical data.
• Cyber 12 Tip: Pair this with MITRE to demonstrate links between group activity and real-world incidents.
• Try it here: https://aptwiki.mitre.org

 

Supply Chain & Vendor Risk Monitoring

Even the most secure organizations are vulnerable to their third-party vendors. This category focuses on tools that monitor supply chain exposure, assess vendor risk, and detect downstream vulnerabilities through partnerships or integrations.

SecurityScorecard

• Purpose: Evaluate and monitor cybersecurity posture of third-party vendors.
• Description: SecurityScorecard gives organizations an A–F security rating based on external indicators, patching, and policy adherence.
• Best Used For: Reviewing partners and vendors during procurement or compliance reviews.
• Safety Tip: Don’t just rely on ratings—engage with vendors about their controls.
• Cyber 12 Tip: Use this during BCDR exercises to simulate third-party incident response.
• Try it here: https://securityscorecard.com

RiskIQ Illuminate (now Microsoft Defender Threat Intelligence)

• Purpose: Map digital assets and risks across your full attack surface—including vendors.
• Description: This platform discovers shadow IT, misconfigured services, and external attack vectors associated with supply chain partners.
• Best Used For: Large organizations monitoring internet-facing risk—including subsidiaries and suppliers.
• Safety Tip: Use read-only views to prevent alert fatigue for third-party teams.
• Cyber 12 Tip: Use Illuminate data to build exposure maps for vendor incident simulations.
• Try it here: https://www.microsoft.com/en-us/security/business/microsoft-security-copilot

UpGuard Vendor Risk

• Purpose: Score, track, and document third-party cybersecurity risks.
• Description: UpGuard simplifies third-party risk assessments with automated scoring and real-time alerts for vendor compromise signals.
• Best Used For: Onboarding vendors, regulatory reporting, or shared responsibility reviews.
• Safety Tip: Include OSINT checks (like WHOIS + VirusTotal) in your vendor onboarding playbook.
• Cyber 12 Tip: Incorporate this into supply chain risk tabletop exercises with procurement.
• Try it here: https://www.upguard.com/vendor-risk

 

Email & Domain Security Analysis

Email remains the top attack vector for phishing and social engineering. This category helps security teams inspect domain configurations, spoofing risks, and misconfigured authentication records like SPF, DKIM, and DMARC.

MxToolbox

• Purpose: Analyze domain health, email authentication, and blacklisting status.
• Description: MxToolbox checks SPF/DKIM/DMARC alignment, DNS health, and mail server vulnerabilities.
• Best Used For: Investigating phishing campaigns and validating domain reputation.
• Safety Tip: Monitor domain configuration regularly to prevent spoofing and impersonation attacks.
• Cyber 12 Tip: Use MxToolbox to demo misconfigured domains during awareness training.
• Try it here: https://mxtoolbox.com

DMARC Analyzer

• Purpose: Visualize DMARC compliance and track domain spoofing attempts.
• Description: DMARC Analyzer provides dashboards and reporting tools to help ensure proper domain authentication and enforcement.
• Best Used For: Organizations managing their own mail servers or domains.
• Safety Tip: Enable DMARC with enforcement (quarantine or reject) for best protection.
• Cyber 12 Tip: Show participants how a missing DMARC record leaves a domain open to abuse.
• Try it here: https://www.dmarcanalyzer.com

EmailRep.io (reused here intentionally)

• Purpose: Investigate sender email addresses for reputation and risk.
• Description: EmailRep scores email addresses based on breach history, domain age, social presence, and malicious behavior patterns.
• Best Used For: Email investigations, suspicious login detection, and phishing analysis.
• Safety Tip: Don’t judge solely by score—check sender domain health too.
• Cyber 12 Tip: Use EmailRep to triage suspicious HR or IT messages in simulations.

Try it here: https://emailrep.io

By leveraging these OSINT tools, individuals and professionals alike can take proactive steps to understand, monitor, and protect their digital presence. Whether you’re a parent checking safe search engines for your child, a community member exploring online safety, or a cybersecurity student analyzing threat actors and exposed assets, there’s a tool here to empower you. Staying informed is your first line of defense—and with the right resources at your fingertips, cybersecurity doesn’t have to be overwhelming. Explore, learn, and take action—because protecting yourself online is no longer optional; it’s essential.