Your Security Response Toolkit
This site offers a proposed collection of tools in a plug&play live image to provide first steps to new incident handling teams. Information on this site reflects the experience of a number of European CSIRTs, with tools used and supported by active CSIRTs.


Computer Security Incident Response Teams (CSIRTs) are responsible for receiving and reviewing incident reports, and responding to them as appropriate. These services are normally performed for a defined constituency such as a corporation, institution, educational or government network, region or country, or a paid client. CSIRT services generally fall into three categories - reactive (e.g vulnerability alerts, incident handling); proactive (e.g. intrusion detection, auditing and information dissemination); and security quality management (e.g. risk analysis, disaster recovery planning, and education and training).

Incident handling information

IntelMQ is a solution for CERTs for collecting and processing security feeds, pastebins, tweets and log files using a message queuing protocol.

Security Incident Response Platform

The Hive is a scalable, open source and free Security Incident Response Platform designed to make life easier for SOCs, CSIRTs, CERTs and any information security practitioner.

Network forensics

NfSen allows you to keep all the convenient advantages of the command line using nfdump directly and gives you also a graphical overview over your netflow data.

Operational intelligence

Use Elastic to search, monitor, analyze and visualize machine data.

The Open Source Security Platform

Wazuh is a free, open source and enterprise-ready security monitoring solution for threat detection, integrity monitoring, incident response and compliance.

Lightweight shipper for network data

Packetbeat is a lightweight network packet analyzer that sends data from your hosts and containers to Logstash or Elasticsearch.

Next tools in progress….

More tools will be added soon!

Download VirtualBox OVA


Credentials needed to log into the virtual machine:
User: csirt-kit
Pass: csirt-kit


In this PDF you'll explore and "play" with a collection of CERT's daily used opensource tools for handling security incidents. (A live image will be provided where tools like TheHive, Cortex, IntelMQ, NFsen, Wazuh and Packetbeat are included)

Download it here!

Credentials needed to log into the virtual machine:
User: csirt-kit
Pass: csirt-kit

When login open Mozilla Firefox and enjoy with local tools through browser bookmarks!

Thank's to Rodrigo Zamora Nelson for the work done in his Master's Thesis


Contact us

Published under the Apache License 2.0.