Your Security Response Toolkit
This site offers a proposed collection of tools in a plug&play live image to provide first steps to new incident handling teams. Information on this site reflects the experience of a number of European CSIRTs, with tools used and supported by active CSIRTs.


Computer Security Incident Response Teams (CSIRTs) are responsible for receiving and reviewing incident reports, and responding to them as appropriate. These services are normally performed for a defined constituency such as a corporation, institution, educational or government network, region or country, or a paid client. CSIRT services generally fall into three categories - reactive (e.g vulnerability alerts, incident handling); proactive (e.g. intrusion detection, auditing and information dissemination); and security quality management (e.g. risk analysis, disaster recovery planning, and education and training).

Open Source Threat Intelligence Platform

The MISP threat sharing platform is a free and open source software helping information sharing of threat intelligence including cyber security indicators.

Incident handling information

IntelMQ is a solution for CERTs for collecting and processing security feeds, pastebins, tweets and log files using a message queuing protocol.

Security Incident Response Platform

The Hive is a scalable, open source and free Security Incident Response Platform designed to make life easier for SOCs, CSIRTs, CERTs and any information security practitioner.

Network forensics

NfSen allows you to keep all the convenient advantages of the command line using nfdump directly and gives you also a graphical overview over your netflow data.

Operational intelligence

Use Elastic to search, monitor, analyze and visualize machine data.

The Open Source Security Platform

Wazuh is a free, open source and enterprise-ready security monitoring solution for threat detection, integrity monitoring, incident response and compliance.

Lightweight shipper for network data

Packetbeat is a lightweight network packet analyzer that sends data from your hosts and containers to Logstash or Elasticsearch.

Log management done right

Graylog provides answers to your team’s security, application, and IT infrastructure questions by enabling you to combine, enrich, correlate, query, and visualize all your log data in one place.

Extendable workflow automation

N8N move and transform data between different apps and databases without getting caught up in API docs and troubleshooting CORS errors.

Next tools in progress….

More tools will be added soon!

Download VirtualBox OVA

MD5sum: 7d5f0a19e87ecdfc3b121795dd2eabad

Credentials needed to log into the virtual machine:
User: csirt-kit
Pass: csirt-kit


In this PDF you'll explore and "play" with a collection of CERT's daily used opensource tools for handling security incidents. (A live image will be provided where tools like TheHive, Cortex, IntelMQ, NFsen, Wazuh and Packetbeat are included)

Download it here!

Credentials needed to log into the virtual machine:
User: csirt-kit
Pass: csirt-kit

Switch on in Virtual Box and follow console indications

Thank's to Rodrigo Zamora Nelson and Sergi Majoral LLimiñana for the work done in his Master's Thesis


Contact us

Published under the Apache License 2.0.