feat: Extended arsenal — 13 additional tools for red team, forensics, cloud offensive, and DevSecOps
Added to sovereign-tool-stack.md: Red Team & Adversary Simulation: - Sliver: open-source C2 replacing Cobalt Strike for adversary simulation - Stratus Red Team: executes real cloud attack techniques (AWS/Azure/GCP) - CloudFox: attacker-view cloud privilege mapping and exploitation Container & Runtime Security: - Falco: runtime threat detection for Kubernetes and Linux - Tetragon: eBPF-based security observability (noted as alternative) Endpoint Forensics & IR: - Velociraptor: remote forensic artefact collection and hunting across thousands of endpoints via VQL Threat Intelligence: - OpenCTI: structured threat actor/TTP/IOC correlation from Filigran Deception: - OpenCanary: lightweight honeypot for early network reconnaissance warning Code & Secrets Security: - GitLeaks: scans repositories for hardcoded secrets - Semgrep: lightweight static analysis with full data sovereignty Email Security Testing: - GoPhish: open-source phishing simulation and user training Certificate Monitoring: - CertStream + crt.sh: real-time and historical certificate transparency monitoring for subdomain discovery Updated: Complete Capability Matrix, Per-Module Tool Pairing (Module 9 and 10 now include extended tools), Deployment Complexity table, and Integration With Existing Frameworks cross-references.
This commit is contained in:
@@ -310,6 +310,17 @@ Our current stack covers cloud posture, AD security, GRC, M365 configuration, an
|
||||
| Cloud asset mapping | **Cartography** | CloudQuery | Lucidscale, Faddom | Complex multi-cloud; incident response |
|
||||
| Perimeter scanning | **Nuclei + Amass + Naabu** | OpenVAS, Greenbone | Tenable.asm, Cortex Xpanse | External attack surface management |
|
||||
| Vulnerability discovery | **osquery + Grype** | OpenVAS, Nessus Essentials | Tenable, Qualys | Zero-budget first sweep; continuous monitoring |
|
||||
| Red team C2 | **Sliver** | Mythic | Cobalt Strike | Adversary simulation; EDR efficacy testing |
|
||||
| Cloud attack simulation | **Stratus Red Team** | — | — | Cloud red team; Azure/AWS assessments |
|
||||
| Cloud privilege analysis | **CloudFox** | PMapper | — | Cloud penetration tests |
|
||||
| Container runtime detection | **Falco** | Tetragon | Aqua Runtime, Twistlock | Kubernetes workloads |
|
||||
| Endpoint forensics | **Velociraptor** | KAPE | Encase, FTK | Incident response; threat hunting |
|
||||
| Threat intelligence platform | **OpenCTI** | MISP, Yeti | ThreatConnect, Anomali | SOC maturity; regulated industries |
|
||||
| Honeypot / deception | **OpenCanary** | T-Pot | Thinkst Canary | Flat networks; OT/IT bridges |
|
||||
| Secrets detection | **GitLeaks** | TruffleHog | GitGuardian | DevSecOps; supply chain |
|
||||
| Static code analysis | **Semgrep** | Bandit, Brakeman | SonarQube, Snyk Code | CI/CD security gates |
|
||||
| Phishing simulation | **GoPhish** | — | KnowBe4, Cofense | Awareness programmes |
|
||||
| Certificate monitoring | **CertStream + crt.sh** | Sublist3r | Censys, SecurityTrails | Continuous perimeter monitoring |
|
||||
|
||||
---
|
||||
|
||||
@@ -331,13 +342,17 @@ Our current stack covers cloud posture, AD security, GRC, M365 configuration, an
|
||||
**Primary**: BloodHound + Purple Knight / Forest Druid
|
||||
**Augmentation**: osquery (endpoint state of domain controllers)
|
||||
|
||||
### Module 9: Organisational Resilience and DevSecOps
|
||||
**Primary**: Falco (container runtime security) + Semgrep (static code analysis) + GitLeaks (secrets detection)
|
||||
**Augmentation**: Syft + Grype + Trivy (supply chain scanning); Shuffle (CI/CD security automation)
|
||||
|
||||
### Module 10: Red Team & Validation
|
||||
**Primary**: BloodHound (attack path validation) + Nuclei (external validation)
|
||||
**Augmentation**: Zeek + Suricata (detect red team activity from blue team perspective)
|
||||
**Primary**: BloodHound (attack path validation) + Nuclei (external validation) + Sliver (adversary simulation)
|
||||
**Augmentation**: Stratus Red Team (cloud attack simulation); CloudFox (cloud privilege escalation); Zeek + Suricata (detect red team activity from blue team perspective); OpenCanary (deception and early warning)
|
||||
|
||||
### Module 12: Blue/Purple Team Foundation
|
||||
**Primary**: Wazuh + Sysmon + TheHive + Cortex + Shuffle
|
||||
**Augmentation**: AOC (M365-specific detections) + osquery (endpoint telemetry)
|
||||
**Augmentation**: AOC (M365-specific detections) + Velociraptor (endpoint forensics) + OpenCanary (deception) + OpenCTI (threat intel correlation)
|
||||
|
||||
### Retained Capability: Detection Engineering
|
||||
**Primary**: Wazuh (rule authoring) + AOC (M365 detections) + Shuffle (response playbooks)
|
||||
@@ -362,6 +377,196 @@ Our current stack covers cloud posture, AD security, GRC, M365 configuration, an
|
||||
| Syft + Grype | 1 hour | None | Low | Low (container metadata) |
|
||||
| Zeek + Suricata | 1 day | Network tap or SPAN port | High | High (network traffic) |
|
||||
| Cartography | 4 hours | Neo4j + AWS/GCP/Azure APIs | Medium | Medium (cloud metadata) |
|
||||
| Sliver | 2 hours | C2 server (cloud or on-prem) | High | High (red team infrastructure) |
|
||||
| Stratus Red Team | 1 hour | AWS/Azure/GCP CLI access | Medium | High (executes real attacks) |
|
||||
| CloudFox | 1 hour | None (runs from laptop) | Medium | Medium (cloud metadata) |
|
||||
| Falco | 4 hours | Kubernetes daemonset or Linux host | Medium | High (container runtime data) |
|
||||
| Velociraptor | 4 hours | Velociraptor server + agents | Medium | High (forensic artefacts) |
|
||||
| OpenCTI | 1 day | Docker host or VM | Medium | Medium (threat intel data) |
|
||||
| OpenCanary | 30 minutes | Any Linux/Windows host | Low | Low (honeypot only) |
|
||||
| GitLeaks | 30 minutes | None (CLI or CI/CD) | Low | Medium (source code access) |
|
||||
| Semgrep | 1 hour | None (CLI or CI/CD) | Low | Medium (source code access) |
|
||||
| GoPhish | 2 hours | Docker host or VM | Low | Medium (user email data) |
|
||||
|
||||
---
|
||||
|
||||
## Extended Arsenal: Advanced and Specialised Tools
|
||||
|
||||
Beyond the core stack, these tools address specific niches that arise in sophisticated engagements. They are not deployed on every client, but when the situation demands them, no commercial alternative comes close.
|
||||
|
||||
---
|
||||
|
||||
### Red Team and Adversary Simulation
|
||||
|
||||
#### Sliver
|
||||
|
||||
| Attribute | Detail |
|
||||
|-----------|--------|
|
||||
| **What it does** | Open-source cross-platform adversary simulation and command-and-control (C2) framework. Replaces Cobalt Strike for red team engagements at zero licensing cost. |
|
||||
| **Why we use it** | Cobalt Strike costs €30,000+/year and is fingerprinted by most EDR. Sliver is free, actively maintained by Bishop Fox, and supports DNS, HTTPS, mutual TLS, and WireGuard C2 channels. It generates implants for Windows, macOS, and Linux. |
|
||||
| **When to deploy** | Module 10 (Red Team & Validation); purple team exercises; EDR efficacy testing |
|
||||
| **Integration** | Red team activity detected by Wazuh + Sysmon feeds into TheHive cases; AOC correlates any M365 session anomalies with red team timing |
|
||||
|
||||
**The conversation**:
|
||||
|
||||
> *"We ran a controlled adversary simulation against your environment using Sliver. Your EDR detected 3 of 7 techniques. Your MSSP never saw the lateral movement. Your SIEM has no alert for the credential dumping. These are not theoretical gaps. These are tomorrow's breach headlines. Here is the detection engineering backlog to close them."*
|
||||
|
||||
---
|
||||
|
||||
#### Stratus Red Team
|
||||
|
||||
| Attribute | Detail |
|
||||
|-----------|--------|
|
||||
| **What it does** | Generates real cloud attack techniques against AWS, Azure, and GCP. Not a scanner—an actual attack simulator that executes TTPs and then cleans up. |
|
||||
| **Why we use it** | Prowler finds misconfigurations. Stratus proves they are exploitable. It automates the gap between "this S3 bucket is public" and "we exfiltrated 2 GB of data from it and your cloud trail logged nothing useful." |
|
||||
| **When to deploy** | Module 10 (Red Team); cloud security assessments; purple team exercises in Azure/AWS environments |
|
||||
| **Integration** | Attack telemetry feeds into Wazuh/SIEM for detection validation; findings enrich AI-assisted TVM cloud risk scores |
|
||||
|
||||
---
|
||||
|
||||
#### CloudFox
|
||||
|
||||
| Attribute | Detail |
|
||||
|-----------|--------|
|
||||
| **What it does** | Cloud exploitation framework for AWS, Azure, and GCP. Maps permissions, finds privilege escalation paths, and identifies exposed resources from an attacker's perspective. |
|
||||
| **Why we use it** | Prowler audits from the compliance perspective. CloudFox thinks like an attacker: "I have this IAM role—what can I actually do with it?" It finds indirect privilege escalation paths that scanners miss. |
|
||||
| **When to deploy** | Module 10 (Red Team); cloud penetration tests; Azure/AWS security assessments |
|
||||
| **Integration** | Output feeds into Cartography for unified cloud attack path mapping |
|
||||
|
||||
---
|
||||
|
||||
### Container and Cloud-Native Runtime Security
|
||||
|
||||
#### Falco
|
||||
|
||||
| Attribute | Detail |
|
||||
|-----------|--------|
|
||||
| **What it does** | Runtime security detection for containers, Kubernetes, and Linux hosts. Uses system call monitoring to detect anomalous behaviour: unexpected outbound connections, privileged container escapes, sensitive file access. |
|
||||
| **Why we use it** | Syft + Grype find vulnerable packages at build time. Falco detects exploitation at runtime. Without Falco, a container with a CVE can be exploited silently. |
|
||||
| **When to deploy** | Any client with Kubernetes or containerised workloads; Module 9 (Organisational Resilience) for CI/CD security gates |
|
||||
| **Integration** | Falco alerts feed into Wazuh or directly to TheHive; AOC correlates container events with M365 identity context for supply-chain attack detection |
|
||||
|
||||
---
|
||||
|
||||
#### Tetragon
|
||||
|
||||
| Attribute | Detail |
|
||||
|-----------|--------|
|
||||
| **What it does** | eBPF-based security observability and runtime enforcement for Kubernetes and Linux. Provides process execution tracing, network monitoring, and file access detection at kernel level with minimal overhead. |
|
||||
| **Why we use it** | From the creators of Cilium. More granular than Falco in some dimensions. Can kill processes in real-time (not just detect). Ideal for high-security environments that need active runtime protection without commercial agents. |
|
||||
| **When to deploy** | Critical infrastructure; financial services; high-sensitivity Kubernetes environments |
|
||||
|
||||
---
|
||||
|
||||
### Endpoint Forensics and Incident Response
|
||||
|
||||
#### Velociraptor
|
||||
|
||||
| Attribute | Detail |
|
||||
|-----------|--------|
|
||||
| **What it does** | Endpoint visibility and digital forensics platform. Hunts across thousands of endpoints in seconds using VQL (Velociraptor Query Language). Collects files, memory artefacts, registry keys, and event logs remotely. |
|
||||
| **Why we use it** | osquery gives you structured inventory. Velociraptor gives you forensic capability: extract the MFT, hunt for specific malware indicators, collect browser history, or dump credentials from memory—across the entire estate in minutes. |
|
||||
| **When to deploy** | Incident response retainers; Module 12 (Blue/Purple Team); any engagement where forensic artefact collection is required |
|
||||
| **Integration** | Hunt results feed into TheHive cases; file hashes submitted to Cortex analyzers; YARA rules shared with Wazuh |
|
||||
|
||||
**The conversation**:
|
||||
|
||||
> *"A user reported a suspicious email. Three hours later, we used Velociraptor to hunt across 2,000 endpoints and found four machines with the same payload in memory. We extracted the payload, analysed it in Cortex, and determined it was a new variant of a known banking trojan. Total time from alert to attribution: 47 minutes. No endpoint agent was installed on those machines. Velociraptor collected everything remotely."*
|
||||
|
||||
---
|
||||
|
||||
### Threat Intelligence
|
||||
|
||||
#### OpenCTI
|
||||
|
||||
| Attribute | Detail |
|
||||
|-----------|--------|
|
||||
| **What it does** | Open-source threat intelligence platform from Filigran. Ingests, structures, and correlates threat data from MISP, CVE databases, vendor advisories, and OSINT feeds. Provides relationship mapping between threat actors, TTPs, IOCs, and victimology. |
|
||||
| **Why we use it** | Most organisations collect threat intel but cannot use it. OpenCTI turns raw IOCs into structured intelligence: "APT29 uses this technique → which targets our industry → and exploits this CVE → which we have on 12 servers." |
|
||||
| **When to deploy** | Module 12 (Blue/Purple Team); retained capability engagements; clients in regulated industries with threat intel mandates |
|
||||
| **Integration** | MISP feed ingestion; Wazuh rules enriched with OpenCTI context; TheHive cases auto-populated with threat actor profiles |
|
||||
|
||||
---
|
||||
|
||||
### Deception and Early Warning
|
||||
|
||||
#### OpenCanary
|
||||
|
||||
| Attribute | Detail |
|
||||
|-----------|--------|
|
||||
| **What it does** | Lightweight, low-interaction honeypot daemon. Simulates services (SMB, RDP, SSH, HTTP, SQL, Git) and alerts when probed. Takes 10 minutes to deploy. |
|
||||
| **Why we use it** | Every network has blind spots. An attacker scanning for RDP on port 3389 will hit OpenCanary first—and trigger an alert before reaching real systems. It is an asymmetric defence: 10 minutes of deployment for early warning that no EDR can replicate. |
|
||||
| **When to deploy** | Module 6 (AD Hardening); Module 12 (Blue/Purple Team); any client with flat network topology or legacy protocols |
|
||||
| **Integration** | Alerts feed into Wazuh or directly to Shuffle for automated response (isolate attacker IP, notify SOC) |
|
||||
|
||||
---
|
||||
|
||||
### Code and Secrets Security
|
||||
|
||||
#### GitLeaks
|
||||
|
||||
| Attribute | Detail |
|
||||
|-----------|--------|
|
||||
| **What it does** | Scans Git repositories for hardcoded secrets: API keys, passwords, tokens, private keys. Supports pre-commit hooks and CI/CD integration. |
|
||||
| **Why we use it** | The most common cloud breach vector is not zero-day exploitation. It is a developer committing an AWS access key to GitHub. GitLeaks finds it before the commit—or scans historical commits for existing leakage. |
|
||||
| **When to deploy** | Module 9 (Organisational Resilience); DevSecOps engagements; any client with active software development |
|
||||
| **Integration** | CI/CD pipeline integration; findings fed into CISO Assistant for evidence tracking; AOC monitors for any M365 session using leaked credentials |
|
||||
|
||||
---
|
||||
|
||||
#### Semgrep
|
||||
|
||||
| Attribute | Detail |
|
||||
|-----------|--------|
|
||||
| **What it does** | Lightweight static analysis engine that scans code for security vulnerabilities, dangerous patterns, and compliance violations. Supports 30+ languages and runs locally without sending code to cloud services. |
|
||||
| **Why we use it** | SonarQube and Snyk are excellent but expensive and cloud-dependent. Semgrep provides equivalent coverage for common vulnerability classes with full data sovereignty. The rules are open and auditable. |
|
||||
| **When to deploy** | DevSecOps engagements; Module 9 (Organisational Resilience); software supply chain assessments |
|
||||
| **Integration** | CI/CD pipeline gating; findings correlated with SBOMs from Syft for complete supply chain visibility |
|
||||
|
||||
---
|
||||
|
||||
### Phishing Simulation and Email Security Testing
|
||||
|
||||
#### GoPhish
|
||||
|
||||
| Attribute | Detail |
|
||||
|-----------|--------|
|
||||
| **What it does** | Open-source phishing simulation framework. Build campaigns, track click rates, capture credentials (in training mode), and measure user susceptibility over time. |
|
||||
| **Why we use it** | Commercial phishing platforms cost €5-15/user/year. GoPhish is free, self-hosted, and produces equivalent metrics. It integrates with LDAP for realistic email targeting. |
|
||||
| **When to deploy** | Module 3 (M365 Security Hardening); security awareness programmes; post-incident user training |
|
||||
| **Integration** | Results feed into CISO Assistant for training evidence; high-risk users flagged in AOC for enhanced monitoring |
|
||||
|
||||
---
|
||||
|
||||
### Certificate and Subdomain Monitoring
|
||||
|
||||
#### CertStream + Crt.sh
|
||||
|
||||
| Attribute | Detail |
|
||||
|-----------|--------|
|
||||
| **What it does** | CertStream monitors certificate transparency logs in real-time; crt.sh provides historical certificate search. Together they reveal subdomains, infrastructure changes, and unauthorised certificates issued for client domains. |
|
||||
| **Why we use it** | Attackers register subdomains for phishing campaigns. Developers register subdomains they forget to secure. Certificate monitoring finds both before they become incidents. |
|
||||
| **When to deploy** | Perimeter scanning engagements; shadow IT discovery; continuous external monitoring |
|
||||
| **Integration** | New subdomains feed into Nuclei for immediate vulnerability scanning; findings enrich perimeter scanning reports |
|
||||
|
||||
---
|
||||
|
||||
### Complete Extended Arsenal Matrix
|
||||
|
||||
| Capability | Tool | Gap Filled | When to Deploy |
|
||||
|-----------|------|-----------|----------------|
|
||||
| C2 / Adversary simulation | **Sliver** | Cobalt Strike replacement; EDR efficacy testing | Red team; purple team |
|
||||
| Cloud attack simulation | **Stratus Red Team** | Proves cloud misconfigs are exploitable, not just visible | Cloud red team; Azure/AWS assessments |
|
||||
| Cloud privilege analysis | **CloudFox** | Attacker-view cloud permission mapping | Cloud penetration tests |
|
||||
| Container runtime detection | **Falco** | Detects container exploitation at runtime | Kubernetes workloads |
|
||||
| eBPF runtime enforcement | **Tetragon** | Kernel-level process killing and tracing | Critical infrastructure K8s |
|
||||
| Endpoint forensics | **Velociraptor** | Remote artefact collection and hunting | Incident response; threat hunting |
|
||||
| Threat intelligence platform | **OpenCTI** | Structured threat actor/TTP/IOC correlation | SOC maturity; regulated industries |
|
||||
| Honeypot / deception | **OpenCanary** | Early warning for network reconnaissance | Flat networks; OT/IT bridges |
|
||||
| Secrets detection | **GitLeaks** | Hardcoded credentials in source code | DevSecOps; supply chain |
|
||||
| Static code analysis | **Semgrep** | Vulnerability detection without cloud dependency | CI/CD security gates |
|
||||
| Phishing simulation | **GoPhish** | User susceptibility measurement and training | Awareness programmes |
|
||||
| Certificate monitoring | **CertStream + crt.sh** | Subdomain discovery and unauthorised certs | Continuous perimeter monitoring |
|
||||
|
||||
---
|
||||
|
||||
@@ -385,13 +590,14 @@ Our current stack covers cloud posture, AD security, GRC, M365 configuration, an
|
||||
|
||||
| Document | Integration |
|
||||
|----------|-------------|
|
||||
| [Zero-Budget Vulnerability Discovery](zero-budget-vulnerability-discovery.md) | Syft + Grype container pipeline; osquery endpoint discovery; Prowler cloud-native discovery |
|
||||
| [AI-Assisted TVM Blueprint](ai-assisted-tvm.md) | All discovery tools feed the AI prioritisation engine; AOC provides insider-threat context |
|
||||
| [Perimeter Scanning Capability](perimeter-scanning-capability.md) | Nuclei + Amass + Naabu form the open-source active scanning layer; Prowler covers cloud perimeter |
|
||||
| [Osquery: The Sovereign Discovery Platform](osquery-custom-platform.md) | osquery + FleetDM is the endpoint discovery layer; Wazuh extends to behavioural detection |
|
||||
| [Blue/Purple Team Foundation](../core/blue-purple-team-foundation.md) | Wazuh + TheHive + Cortex + Shuffle form the open-source SOC stack; AOC adds M365-specific detection |
|
||||
| [Retained Capability](../core/retained-capability.md) | Detection Engineering retained capability is built on Wazuh + AOC + Shuffle; Threat Context on TheHive + Cortex |
|
||||
| [Zero-Budget Vulnerability Discovery](zero-budget-vulnerability-discovery.md) | Syft + Grype container pipeline; osquery endpoint discovery; Prowler cloud-native discovery; GitLeaks secrets scanning |
|
||||
| [AI-Assisted TVM Blueprint](ai-assisted-tvm.md) | All discovery tools feed the AI prioritisation engine; AOC provides insider-threat context; OpenCTI enriches with threat actor context |
|
||||
| [Perimeter Scanning Capability](perimeter-scanning-capability.md) | Nuclei + Amass + Naabu form the open-source active scanning layer; Prowler covers cloud perimeter; CertStream monitors for new subdomains |
|
||||
| [Osquery: The Sovereign Discovery Platform](osquery-custom-platform.md) | osquery + FleetDM is the endpoint discovery layer; Wazuh extends to behavioural detection; Velociraptor adds forensic hunting |
|
||||
| [Blue/Purple Team Foundation](../core/blue-purple-team-foundation.md) | Wazuh + TheHive + Cortex + Shuffle form the open-source SOC stack; AOC adds M365-specific detection; Sliver enables adversary simulation; OpenCanary provides deception |
|
||||
| [Retained Capability](../core/retained-capability.md) | Detection Engineering retained capability is built on Wazuh + AOC + Shuffle; Threat Context on TheHive + Cortex + OpenCTI |
|
||||
| [Modular Engagements](../core/modular-engagements.md) | Each module has a recommended tool pairing in the matrix above |
|
||||
| [AD and Endpoint Hardening](ad-endpoint-hardening.md) | BloodHound maps attack paths; Purple Knight / Forest Druid score AD security; Velociraptor hunts forIndicators of Compromise on domain controllers |
|
||||
|
||||
---
|
||||
|
||||
|
||||
Reference in New Issue
Block a user