# Incident Response Toolkit

# Appendix: Open Source Leaning Incident Response Toolkit

This appendix gathers useful free, open-source, publicly available, and affordable tools that can support incident response, evidence collection, investigation, containment, recovery, documentation, and training.

The company does not need every tool listed here. Tool selection should match the company’s size, technical ability, systems, risk level, and available support.

During a serious incident, tools should be used carefully. Avoid installing new tools directly onto compromised systems unless a qualified technical responder approves the approach. In many cases, the safest first step is to preserve evidence, contain the obvious damage, and escalate to qualified support.

# 1. Incident Tracking, Case Management, and Action Tracking

Tool	Link	Type	Best Use
TheHive	TheHive	Commercial / security case management	Incident case management, triage, collaboration, investigation records, reporting
Zammad	Zammad	Open-source / commercial	Security tickets, employee reports, incident follow-up, support workflow
osTicket	osTicket	Open-source / commercial	Simple helpdesk-style incident intake and action tracking
GLPI	GLPI	Open-source / commercial	IT service desk, assets, tickets, incident records, follow-up tasks
Jira Service Management	Jira Service Management	Commercial / free tier	Incident workflows, approvals, tasks, and improvement tracking
OpenProject	OpenProject	Open-source / commercial	Improvement project tracking and leadership-visible remediation work
Kanboard	Kanboard	Open-source	Lightweight task board for incident and improvement actions

# 2. Secure Documentation and Evidence Storage

Tool	Link	Type	Best Use
CryptPad	CryptPad	Open-source / free options	Secure notes, incident timelines, collaborative documentation
Nextcloud	Nextcloud	Open-source / commercial	Controlled storage for evidence, reports, screenshots, and response records
BookStack	BookStack	Open-source	Internal incident response handbook, procedures, and evidence references
Wiki.js	Wiki.js	Open-source	Internal knowledge base for procedures, contacts, and playbooks
Google Drive	Google Drive	Free / Workspace	Evidence storage and controlled sharing for Google-based SMEs
SharePoint	SharePoint	Microsoft 365	Evidence storage and controlled sharing for Microsoft-based SMEs

# 3. Endpoint Investigation and Response

Tool	Link	Type	Best Use
Velociraptor	Velociraptor	Open-source	Endpoint visibility, forensic collection, hunting, remote investigation
osquery	osquery	Open-source	Querying endpoint state, installed software, processes, users, and system details
Fleet	Fleet	Open-source / commercial	Managing osquery at scale across endpoints
Sysmon	Sysmon	Free Microsoft tool	Detailed Windows endpoint logging for process, network, and file activity
Wazuh Agent	Wazuh	Open-source	Endpoint monitoring, detection, vulnerability visibility, file integrity monitoring
Microsoft Defender for Business	Microsoft Defender for Business	Affordable commercial	Endpoint protection and response for Microsoft-based SMEs

# 4. Logging, SIEM, and Detection

Tool	Link	Type	Best Use
Wazuh	Wazuh	Open-source	SIEM, XDR, endpoint monitoring, alerting, compliance visibility
Security Onion	Security Onion	Free / open platform	Threat hunting, network security monitoring, log management
Graylog Open	Graylog Open	Source-available / commercial	Centralized log management and search
OpenSearch	OpenSearch	Open-source	Log storage, search, dashboards, and security analytics
Grafana Loki	Grafana Loki	Open-source / commercial	Log aggregation and dashboarding
Sigma	Sigma	Open-source rule format	Detection rule writing and translation across SIEM platforms
ElastAlert 2	ElastAlert 2	Open-source	Alerting from Elasticsearch or OpenSearch-style data
Microsoft Sentinel	Microsoft Sentinel	Commercial / cloud-native	Cloud SIEM and security analytics for Microsoft-heavy environments

# 5. Network Monitoring and Containment

Tool	Link	Type	Best Use
Suricata	Suricata	Open-source	Network intrusion detection and prevention
Zeek	Zeek	Open-source	Network visibility, protocol analysis, and security monitoring
Nmap	Nmap	Open-source	Network discovery, exposed services, and validation checks
OPNsense	OPNsense	Open-source / commercial support	Firewalling, segmentation, VPN, emergency network controls
pfSense CE	pfSense Community Edition	Free community edition	Firewalling, routing, VPN, and network containment
CrowdSec	CrowdSec	Open-source / commercial	Community-powered intrusion prevention and abusive IP blocking
Fail2ban	Fail2ban	Open-source	Brute-force protection for exposed services
Wireshark	Wireshark	Open-source	Packet capture review and network troubleshooting
tcpdump	tcpdump	Open-source	Command-line packet capture and network evidence collection

# 6. Digital Forensics and Timeline Analysis

Tool	Link	Type	Best Use
Autopsy	Autopsy	Open-source	Disk forensics, file recovery, and investigation of affected devices
The Sleuth Kit	The Sleuth Kit	Open-source	Low-level disk and file system forensic analysis
Volatility 3	Volatility 3	Open-source	Memory forensics and volatile evidence analysis
Timesketch	Timesketch	Open-source	Collaborative forensic timeline analysis
Plaso	Plaso	Open-source	Log and artifact timeline creation
Hayabusa	Hayabusa	Open-source	Windows event log threat hunting and timeline analysis
Chainsaw	Chainsaw	Open-source	Windows event log searching, Sigma matching, and forensic review
DFIR ORC	DFIR ORC	Open-source	Forensic collection on Windows systems
KAPE	KAPE	Free / commercial support	Targeted forensic artifact collection and processing

# 7. Malware, Indicators, and Suspicious Link Review

Tool	Link	Type	Best Use
CyberChef	CyberChef	Open-source	Decoding, deobfuscation, data transformation, artifact review
VirusTotal	VirusTotal	Free / commercial	Checking suspicious files, hashes, domains, URLs, and IPs
urlscan.io	urlscan.io	Free / commercial	Reviewing suspicious URLs and phishing pages
MISP	MISP	Open-source	Threat intelligence sharing and indicator management
YARA	YARA	Open-source	Malware pattern matching and file classification
MalwareBazaar	MalwareBazaar	Free public resource	Malware sample and hash intelligence
AbuseIPDB	AbuseIPDB	Free / commercial	IP reputation and abuse reporting
GreyNoise Community	GreyNoise Community	Free / commercial	Internet noise and IP context

# 8. Email, Phishing, and Business Email Compromise Support

Tool	Link	Type	Best Use
Microsoft Report Message / Report Phishing	Microsoft Report Messages	Microsoft 365	Employee phishing reporting in Outlook
Gmail Report Phishing	Gmail Report Phishing	Gmail / Google Workspace	Employee phishing reporting in Gmail
MXToolbox	MXToolbox	Free / commercial	Mail server, DNS, SPF, DKIM, DMARC, and blacklist checks
DMARCian	DMARCian	Commercial / free tools	DMARC reporting, email authentication monitoring
EasyDMARC	EasyDMARC	Commercial / free tools	DMARC, SPF, DKIM, and email security monitoring
Gophish	Gophish	Open-source	Phishing simulations and reporting practice
CanIPhish	CanIPhish	Free tier / commercial	Phishing simulation and awareness campaigns
Google Phishing Quiz	Google Phishing Quiz	Free exercise	Phishing recognition practice

# 9. Cloud, SaaS, and Configuration Review

Tool	Link	Type	Best Use
Prowler	Prowler	Open-source / commercial	Cloud security posture checks, especially AWS and multi-cloud use cases
ScoutSuite	ScoutSuite	Open-source	Cloud security auditing across major cloud providers
Steampipe	Steampipe	Open-source / commercial	Querying cloud, SaaS, and infrastructure configuration data
Trivy	Trivy	Open-source	Vulnerability, container, IaC, dependency, and secret scanning
Checkov	Checkov	Open-source / commercial	Infrastructure-as-code and cloud configuration scanning
Gitleaks	Gitleaks	Open-source	Secret scanning in repositories and files
TruffleHog	TruffleHog	Open-source / commercial	Secret scanning across repositories, files, and systems
Microsoft Purview Audit	Microsoft Purview Audit	Microsoft 365	Audit logging and investigation support in Microsoft environments
Google Workspace Admin Audit Logs	Google Workspace Audit Logs	Google Workspace	Admin, login, Drive, and user activity review

# 10. Vulnerability, Exposure, and Website Checks

Tool	Link	Type	Best Use
Greenbone Community Edition	Greenbone Community Edition	Open-source	Vulnerability scanning
Nuclei	Nuclei	Open-source	Template-based vulnerability and exposure scanning
WPScan	WPScan	Free / commercial	WordPress vulnerability checks
Security Headers	Security Headers	Free public tool	HTTP security header checks
SSL Labs Server Test	SSL Labs Server Test	Free public tool	TLS and certificate configuration review
Internet.nl	Internet.nl	Free public tool	Website, email, TLS, DNSSEC, and IPv6 checks
Shodan	Shodan	Free / commercial	Internet-facing asset and exposure discovery
Censys	Censys	Free / commercial	Internet exposure and certificate search
Hardenize	Hardenize	Free / commercial	Website, email, and TLS configuration review
SecurityTrails	SecurityTrails	Free / commercial	DNS, domain, and internet asset discovery

# 11. Backup, Recovery, and Restore Validation

Tool	Link	Type	Best Use
restic	restic	Open-source	Encrypted backups and restore testing
BorgBackup	BorgBackup	Open-source	Deduplicated encrypted backups
Kopia	Kopia	Open-source	Fast encrypted backups and snapshots
Proxmox Backup Server	Proxmox Backup Server	Open-source / commercial support	VM, container, and server backup support
Veeam Community Edition	Veeam Community Edition	Free edition / commercial	Backup and recovery for small environments and labs
UrBackup	UrBackup	Open-source	Client-server backup for files and images
Duplicati	Duplicati	Open-source	Encrypted backups to local and cloud storage
Rclone	Rclone	Open-source	File synchronization and backup movement across cloud/storage providers

# 12. Monitoring, Status, and Notifications

Tool	Link	Type	Best Use
Uptime Kuma	Uptime Kuma	Open-source	Service uptime monitoring and status checks
Healthchecks.io	Healthchecks.io	Open-source / hosted service	Backup job, cron job, and scheduled task monitoring
Zabbix	Zabbix	Open-source / commercial support	Infrastructure, server, service, and network monitoring
LibreNMS	LibreNMS	Open-source	Network monitoring and device visibility
Prometheus	Prometheus	Open-source	Metrics collection and alerting
Grafana	Grafana	Open-source / commercial	Dashboards for monitoring and reporting
ntfy	ntfy	Open-source / hosted	Lightweight push notifications
Gotify	Gotify	Open-source	Self-hosted push notifications

# 13. Secure Remote Access and Emergency Access Control

Tool	Link	Type	Best Use
Cloudflare Zero Trust	Cloudflare Zero Trust	Free tier / commercial	Secure access, application access control, emergency access tightening
Tailscale	Tailscale	Free tier / commercial	Simple mesh VPN and private access control
NetBird	NetBird	Open-source / commercial	WireGuard-based secure access and device connectivity
WireGuard	WireGuard	Open-source	Lightweight VPN technology
OpenVPN Community Edition	OpenVPN Community Edition	Open-source	VPN access for remote connectivity

# 14. Internal Communication and Emergency Coordination

Tool	Link	Type	Best Use
Mattermost	Mattermost	Open-source / commercial	Internal incident coordination and security channels
Zulip	Zulip	Open-source / commercial	Structured chat for security reporting and incident discussions
Rocket.Chat	Rocket.Chat	Open-source / commercial	Internal chat and emergency communication
Jitsi Meet	Jitsi Meet	Open-source	Emergency video calls and incident meetings
Signal	Signal	Free public app	Out-of-band emergency communication where appropriate
Statusfy	Statusfy	Open-source	Status pages for service disruption communication
Cachet	Cachet	Open-source	Status page and incident status communication

# 15. Training, Awareness, and Simulations

Tool or Resource	Link	Type	Best Use
CISA Secure Our World	CISA Secure Our World	Free public resource	Employee awareness materials
FTC Cybersecurity for Small Business	FTC Cybersecurity for Small Business	Free public resource	Small-business cybersecurity education
NCSC Top Tips for Staff	NCSC Top Tips for Staff	Free public training	Basic staff cybersecurity training
SANS OUCH!	SANS OUCH!	Free newsletter	Monthly awareness reminders
NCSC Exercise in a Box	NCSC Exercise in a Box	Free exercise resource	Tabletop and micro exercises
CISA Tabletop Exercise Package	CISA Tabletop Exercise Package	Free exercise resource	Tabletop exercise planning
H5P	H5P	Open-source / free options	Interactive quizzes and training scenarios
TalentLMS	TalentLMS	Affordable commercial	Small-team training delivery and tracking
Google Forms	Google Forms	Free / Workspace	Training confirmations and quizzes
Microsoft Forms	Microsoft Forms	Microsoft 365	Training confirmations and quizzes

# Suggested Minimal Toolkit for SMEs

A smaller company does not need everything in this appendix.

A practical starting toolkit may include:

Ticketing or tracking: Zammad, osTicket, GLPI, Jira Service Management, or a controlled spreadsheet.
Documentation and evidence: Nextcloud, SharePoint, Google Drive, BookStack, Wiki.js, or CryptPad.
Endpoint visibility: Wazuh, Microsoft Defender for Business, osquery, Fleet, or Velociraptor with qualified support.
Logging and detection: Wazuh, Security Onion, Graylog, OpenSearch, or Microsoft Sentinel.
Network checks: Nmap, Security Headers, SSL Labs, Internet.nl, Shodan, and Censys.
Phishing and suspicious link review: Microsoft or Gmail report tools, Gophish, VirusTotal, urlscan.io, and MXToolbox.
Backups and recovery: restic, BorgBackup, Kopia, Proxmox Backup Server, Veeam Community Edition, or an existing managed backup platform.
Monitoring and alerts: Uptime Kuma, Healthchecks.io, Zabbix, Grafana, ntfy, or Gotify.
Training and exercises: CISA Secure Our World, NCSC Exercise in a Box, SANS OUCH!, Moodle, H5P, Google Forms, or Microsoft Forms.

# Tool Selection Guidance

Use the tools the company can actually maintain.

A simple, well-maintained setup is better than a complex toolkit nobody watches.

Before adopting a tool, ask:

Who owns it?
Who knows how to use it?
Where will alerts go?
How will evidence be stored?
How often will it be reviewed?
Will it help during an incident?
What risk does it reduce?
Does it create new maintenance work?
Is support available if needed?