Awesome Lists

23 curated GitHub awesome-lists I cross-reference when building DFIR / CTI tradecraft. Each card opens the canonical README; the why line under each entry explains the niche it fills better than its peers.

Awesome-list READMEs decay; star count + the maintainer's commit cadence are freshness proxies, not guarantees. Verify a specific link before relying on it.

focus:

Showing 23 of 23

My Threat Intel · live ransomware dashboard site
mythreatintel.com
reference
Spanish/English dashboard tracking ransomware incidents with country / sector / timeline charts. Open-directory at /rescate/ + /screenshots/ provides 180+ ransom-note transcripts and leak-site landing-page captures. No RSS feed.
why: The only public source I have found that ships per-group ransom-note transcripts AND leak-site screenshots together — linked from the External Sources block on /threatintel.
Awesome OSINT 26k
jivoi/awesome-osint
essential
The canonical OSINT meta-list — sites, tools, browser extensions, image/video search, breach data, and country-specific resources, organised by investigation surface.
why: First-stop reference. If a public OSINT tool is worth knowing, it is in here.
Awesome OSINT MCP Servers 227
soxoj/awesome-osint-mcp-servers
specialised
Model Context Protocol servers that expose OSINT tools (Maigret, Holehe, etc.) to LLM agents. Useful for wiring OSINT capabilities into Claude / Cursor / Cline.
why: Bridges OSINT tradecraft and the agent stack — the place to discover OSINT MCPs you can wire into your IDE.
Awesome Threat Intelligence 10k
hslatman/awesome-threat-intelligence
essential
The de-facto CTI reference list — sources, formats (STIX/TAXII), frameworks (MITRE, Diamond), training, books, and research blogs. Updated for over a decade.
why: Best single index of CTI primary sources. Cross-reference whenever a vendor claims novelty.
Awesome Threat Intelligence (brandonhimpfen) 9
brandonhimpfen/awesome-threat-intelligence
specialised
Smaller, recently-curated CTI list — feeds, platforms, and tools focused on detect / analyze / respond. Lighter than hslatman but easier to skim end-to-end.
why: Useful as a quick-glance complement to hslatman — different curator, slightly different selection bias.
Awesome Incident Response 9k
meirwah/awesome-incident-response
essential
IR tools index — triage, evidence collection, memory forensics, network forensics, malware analysis, sandbox stacks, plus IR books / courses / playbooks.
why: The reference list to hand a junior IR analyst on day one.
SlimKQL · Detections.AI 114
SlimKQL/Detections.AI
specialised
Mirrored KQL detection-rule library — Defender XDR / Microsoft Sentinel rules with a focus on AI-related, identity-attack, and emerging-threat detections. Active commit cadence.
why: Sharper / niche complement to Azure-Sentinel — wired into /threatintel/rules as a detection-rule source so latest commits appear in the live feed.
Awesome Lists (mthcht) 1.4k
mthcht/awesome-lists
reference
A SOC / CERT / CTI working catalogue — IOC feeds, suspicious user-agent strings, malicious ASN lists, scanner fingerprints, detection-rule sources. Practitioner-curated.
why: High operational density — many of the lists here are directly importable into a SIEM or feed pipeline.
Awesome Cyber Security 522
okhosting/awesome-cyber-security
reference
Broad cybersec resource catalogue — red/blue tools, certifications, books, talks, podcasts. Generalist coverage rather than niche depth.
why: Useful for orientation and when an adjacent topic needs a starting bibliography.
Awesome MCP Security 692
Puliczek/awesome-mcp-security
specialised
Model Context Protocol security — published vulns, attack surface notes, defensive tooling, server-hardening tips, and MCP-specific threat research.
why: MCP is a fast-moving attack surface. Track this for new server CVEs and posture-management tooling.
Awesome Cyber Security MCP 87
MorDavid/awesome-cyber-security-mcp
specialised
Index of cybersecurity-focused MCP servers — pentest helpers, IOC enrichment, threat-feed bridges. Smaller list, narrower than the OSINT-MCP one.
why: Pair with the OSINT-MCP list to discover MCPs that fit your defensive workflow.
Awesome Claude Skills · Security 235
Eyadkelleh/awesome-claude-skills-security
specialised
Security testing toolkit for Claude Code — curated SecLists wordlists, injection payloads, and expert agents for authorized pentest / CTF / bug-bounty work.
why: Useful pattern reference for building security-flavoured skills in Claude Code.
Awesome Hacking (Hack-with-Github) 112k
Hack-with-Github/Awesome-Hacking
essential
Meta-list of awesome-lists — pen-test, exploit dev, web security, mobile, hardware, malware, CTF, OSINT, social engineering. The "start here" index for everything else.
why: The directory of directories. When a sub-domain is too niche for the lists in this catalogue, find its sibling here.
Awesome Hacking (carpedm20) 16k
carpedm20/awesome-hacking
reference
Broad hacking tutorials, tools, conference talks, papers, books — older but well-organised, complements the Hack-with-Github meta-list with deeper per-topic curation.
why: Stronger on conference talks + papers than the Hack-with-Github meta-list — pair the two.
Awesome InfoSec 5.7k
onlurking/awesome-infosec
reference
Curated infosec courses + training resources — university lecture series, free MOOCs, books, lab platforms, certification prep.
why: The reference list when someone asks "how do I get into infosec" — has actual learning paths, not just tool lists.
Awesome Penetration Testing 26k
enaqx/awesome-pentest
essential
Penetration-testing tools, books, courses, conferences, intentionally-vulnerable apps, online resources. The canonical pentest meta-list.
why: Best single index of pentest tooling — keeps you from rebuilding a discovery list every engagement.
Awesome AppSec 6.9k
paragonie/awesome-appsec
reference
Application-security learning resources — cryptography pitfalls, secure-code reviews, OWASP Top-10 deep dives, language-specific guidance.
why: AppSec-focused complement to the broader pentest list — heavier on theory + code-review craft.
Awesome WAF 7.5k
0xInfection/Awesome-WAF
specialised
Everything WAF — fingerprints, bypass techniques, evasion research, vendor-specific notes, related CVEs. From an offensive-research perspective.
why: The reference when you need to fingerprint or test against a WAF during a pentest or red-team engagement.
Static Analysis (SAST) tools 14k
analysis-tools-dev/static-analysis
reference
Curated SAST tools + linters across every language — Semgrep, CodeQL, SonarQube, Checkmarx, Bandit, gosec, ESLint security plugins, and language-specific entries.
why: Single source of truth when scoping AppSec automation or evaluating SAST vendors.
SecLists 71k
danielmiessler/SecLists
essential
The security tester's companion — usernames, passwords, fuzzing payloads, web-content discovery wordlists, data patterns. Not strictly an awesome-list, but the most-referenced security wordlist collection in existence.
why: Half of the security-testing tools in this catalogue have SecLists as a default wordlist dependency.
Awesome Cyber Skills 4.4k
joe-shenouda/awesome-cyber-skills
reference
Curated list of legal hacking environments to practise on — CTF platforms, intentionally-vulnerable apps, lab simulators, war games. Skill-building only, no live targets.
why: When upskilling on a new technique, this is faster than building a lab from scratch.
Awesome PCAP Tools 3.4k
caesar0301/awesome-pcaptools
specialised
Tools for PCAP capture, analysis, and protocol dissection — from Wireshark plugins to ML-driven anomaly detectors. Includes sample-PCAP corpora for testing.
why: IR-focused complement to meirwah/awesome-incident-response — sharper on the network-forensics niche.
Awesome OSINT Arsenal 382
rawfilejson/awesome-osint-arsenal
specialised
Curated OSINT + recon toolkit for Kali Linux — 100+ tools with a one-command installer. Strong on the "ready-to-go investigator workstation" angle.
why: Useful when bootstrapping a fresh OSINT VM — saves an hour of apt+pip+go installs.