---

Security Assessment Tools

Vulnerability Scanners

• Network: Nessus, OpenVAS, Rapid7 Nexpose
• Web Applications: OWASP ZAP, Burp Suite, Acunetix
• Database: SQLmap, NoSQLmap
• Container: Clair, Trivy, Twistlock
• Infrastructure as Code: Checkov, Terrascan, tfsec

Security Testing Frameworks

• OWASP Security Knowledge Framework (SKF): Training and guidance
• Microsoft Threat Modeling Tool: STRIDE-based threat modeling
• NIST Cybersecurity Framework Tools: Implementation guidance
• MITRE ATT&CK: Threat intelligence and testing

Penetration Testing Tools

• Kali Linux: Comprehensive penetration testing distribution
• Metasploit: Exploitation framework
• Nmap: Network discovery and security auditing
• Wireshark: Network protocol analyzer
• John the Ripper: Password cracking tool

Security Monitoring and Response

Security Information and Event Management (SIEM)

• Enterprise: Splunk, IBM QRadar, ArcSight
• Cloud-Native: AWS Security Hub, Azure Sentinel, Google Chronicle
• Open Source: ELK Stack (Elasticsearch, Logstash, Kibana), OSSIM

Threat Intelligence Platforms

• Commercial: Recorded Future, CrowdStrike, FireEye
• Open Source: MISP, OpenCTI, YARA
• Government: US-CERT, CISA alerts, threat feeds

Compliance and Governance Tools

Governance, Risk, and Compliance (GRC)

• Enterprise: ServiceNow GRC, RSA Archer, MetricStream
• Cloud-Based: Carbide, Vanta, Drata
• Specialized: Compliance frameworks automation

Risk Assessment Tools

• Quantitative: FAIR (Factor Analysis of Information Risk)
• Qualitative: Risk matrices and scoring systems
• Hybrid: Combines quantitative and qualitative approaches

---