Blue Team Links

Scan files, URLs, IPs, and domains against 70+ antivirus engines and threat intelligence feeds. Essential for quick IOC triage and determining if an artifact is known-malicious.

Community-driven malware repository by abuse.ch. Search by hash, file type, or tag to find samples and metadata. Invaluable for identifying malware families during incident response.

IOC sharing platform from abuse.ch. Search IPs, domains, URLs and hashes associated with known malware families and C2 infrastructure. Free and community-updated daily.

Open Threat Exchange — one of the world's largest open threat intelligence communities. Search pulses for IOCs, TTPs, and threat actor profiles contributed by security researchers globally.

Cisco's threat intelligence platform. Look up IP/domain reputation, browse vulnerability disclosures, and access threat actor reports. IP reputation lookups are particularly useful for SOC triage.

Classifies internet background noise vs targeted attacks. Helps analysts quickly determine if an IP is mass-scanning the internet (benign noise) vs actively targeting your organisation.

Interactive online malware sandbox. Execute suspicious files in a real Windows/Linux VM and watch process trees, network calls, and registry changes in real time. Free tier supports most use cases.

Free malware analysis service powered by CrowdStrike Falcon. Detonates files in multiple environments and returns detailed behavioural reports, MITRE ATT&CK mapping, and network IOCs.

Scans and analyses URLs by rendering them in a real browser. Returns screenshots, DOM content, redirects, and linked resources — great for phishing investigation without clicking dodgy links yourself.

Search engine for internet-connected devices. Find open ports, exposed services, and banner information on IPs. Useful for asset discovery, external attack surface analysis, and threat hunting.

Crowdsourced IP abuse reporting database. Check any IP's abuse confidence score and report history. Excellent first stop when triaging suspicious inbound connections or brute-force attempts.

Check if an email address appears in known data breaches. Useful during phishing investigations and insider threat cases to assess credential exposure. Includes a password hash check API.

DNS lookup, email header analysis, blacklist checks, and MX record diagnostics. The email header analyser is particularly useful for tracing phishing email origins and identifying spoofed senders.

The US National Vulnerability Database. Authoritative source for CVE details, CVSS scores, affected products, and remediation guidance. Essential for patch prioritisation and vulnerability management.

Archive of public exploits and proof-of-concept code. Use it to understand how a CVE is exploited in practice, assess true risk, and build detection logic for specific exploit techniques.

The definitive adversary tactics and techniques framework. Map observed behaviour to ATT&CK techniques for reporting, detection engineering, and understanding attacker tradecraft end-to-end.

Living Off The Land Binaries, Scripts and Libraries. Documents Windows built-in binaries that attackers abuse for execution, persistence, and lateral movement — critical reference for Windows detection engineers.

Linux/Unix equivalent of LOLBAS. Lists legitimate binaries that can be abused to break out of restricted environments or escalate privileges — useful when hunting for living-off-the-land attacks on Linux hosts.

Archive of real malware PCAP files with accompanying write-ups. Excellent for practising network forensics, understanding C2 traffic patterns, and building Suricata/Snort detection rules.

GCHQ's browser-based data transformation tool. Decode base64, deobfuscate scripts, extract IOCs, convert timestamps, and chain hundreds of operations together — indispensable for malware analysis and log parsing.

Quick online base64 encoder/decoder. Useful for rapidly decoding encoded payloads found in phishing emails, PowerShell commands, or web logs without firing up CyberChef for simple jobs.

Interactive tree of OSINT tools organised by category — usernames, emails, phone numbers, domains, images, and more. A great starting point when you need to pivot on an indicator and don't know where to look.

Daily security diaries from SANS handlers covering current attack trends, vulnerability disclosures, and packet analysis. One of the most reliable sources for what's actively being exploited in the wild.

In-depth real-world intrusion reports covering full attack chains from initial access to impact. Incredibly detailed timelines, IOC lists, and detection opportunities — essential reading for defenders and detection engineers.

High-volume cybersecurity news covering breaches, new vulnerabilities, APT campaigns, and tool releases. Good for staying current on what's being patched and exploited across the industry.