2016 Top Security Tools as Voted by ToolsWatch.org Readers

2016 Top Security Tools as Voted by ToolsWatch.org Readers

Dear ToolsWatchers,

ToolsWatch folks are honored to announce the 2016 Top Security Tools, this is the fourth edition of our online voting by our readers.

We noticed that the tools presented during the Black Hat Arsenal sessions have gained a large popularity amongst the infosec community. We, at ToolsWatch, are very proud and happy to promote great tools from great folks at the greatest event Black Hat Arsenal.

Thanks for your time and your votes.

Results by Year

[tabgroup][tab title=”Results 2016″]

01 – Objective-See tools (NEW)
02 – OWASP ZAP – Zed Attack Proxy Project (-1↓)
03 – OWASP VBScan (NEW)
04 – WarBerry PI (NEW)
05 – Mobile Security Framework (MobSF) (NEW)
07 – Burp Suite (-1↓)
08 – Halcyon IDE (NEW)
09 – DataSploit (NEW)
10 – Lynis (-8↓)
10 – Faraday (-6↓)
10 – Sparta (NEW)

[/tab][tab title=”Results 2015″]

01 – OWASP ZAP – Zed Attack Proxy Project (+1↑)
02 – Lynis (+1↑)
03 – Haka (NEW)
04 – Faraday (NEW)
05 – BeEF – The Browser Exploitation Framework (-1↓)
06 – Burp Suite (NEW)
07 – PeStudio (-1↓)
08 – Nmap (+2↑)
09 – IDA Pro (NEW)
10 – OWASP Offensive (Web) Testing Framework (-3↓)


2016 Top Security Tools as Voted by ToolsWatch.org Readers

01- Objective-See OS X Security Tools

Introduced during Black Hat Arsenal 2015 and returned in 2016, Objective-See Security Tools were widely and grealtly appreciated by the audience. Tools such KnockKnock, RansomWhere, BlockBlock and OverSight were massively voted during this campaign. Check the URL to learn how Patrick Wardle’s tools can help you incredibly improve security of your Macs !

URL: https://objective-see.com/products.html

Black Hat Arsenal survivorUSA 2015,  USA 2016

02- OWASP ZAP – Zed Attack Proxy Project

The OWASP Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.

It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing.

ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.


Black Hat Arsenal survivor: USA 2014, USA 2015, Europe 2016USA 2016

ToolsWatch Best Tools : Rank 1 in 2013, Rank 2 in 2014Rank 1 in 2015

03- OWASP VBScan

OWASP VBScan (short for [VB]ulletin Vulnerability [Scan]ner) is an opensource project in perl programming language to detect VBulletin CMS vulnerabilities and analyses them.

URL: https://www.owasp.org/index.php/OWASP_VBScan_Project

04- WarBerry PI

The WarBerry PI is a customized RaspBerryPi hacking dropbox which is used in Red Teaming engagements with the sole purpose of performing reconnaissance and mapping of an internal network and providing access to the remote hacking team while remaining covert and bypassing security mechanisms.

The outcome of these red teaming exercises is the demonstration that if a low cost microcomputer loaded with python code can bypass security access controls and enumerate and gather such a significant amount of information about the infrastructure network which is located at.

URL: https://github.com/secgroundzero/warberry

Black Hat Arsenal survivorEurope 2016USA 2016

05- Mobile Security Framework (MobSF)

Mobile Security Framework (MobSF) is an intelligent, all-in-one open source mobile application (Android/iOS) automated pen-testing framework capable of performing static and dynamic analysis. It can be used for effective and fast security analysis of Android and iOS Applications and supports both binaries (APK & IPA) and zipped source code.

MobSF can also perform Web API Security testing with it’s API Fuzzer that can do Information Gathering, analyze Security Headers, identify Mobile API specific vulnerabilities like XXE, SSRF, Path Traversal, IDOR, and other logical issues related to Session and API Rate Limiting.

URL: https://github.com/ajinabraham/Mobile-Security-Framework-MobSF


OWASP ZSC is an open source software in python language which lets you generate customized shellcodes and convert scripts to an obfuscated script. This software can be run on Windows/Linux/OSX under python. According to other shellcode generators same as metasploit tools and etc, OWASP ZSC using new encodes and methods which antiviruses won’t detect.

OWASP ZSC encoderes are able to generate shell codes with random encodes and that allows you to generate thousands of new dynamic shellcodes with same job in just a second,that means, you will not get a same code if you use random encodes with same commands

URL: https://www.owasp.org/index.php/OWASP_ZSC_Tool_Project

Black Hat Arsenal survivorEurope 2016

07- Burp Suite

Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities.

Burp gives you full control, letting you combine advanced manual techniques with state-of-the-art automation, to make your work faster, more effective, and more fun.


ToolsWatch Best Tools : Rank 3 in 2013, Rank 6 in 2015

08- Halcyon IDE

Halcyon is the first IDE specifically focused on Nmap Script (NSE) Development. This research idea was originated while writing custom Nmap Scripts for Enterprise Penetration Testing Scenarios. The existing challenge in developing Nmap Scripts (NSE) was the lack of a development environment that gives easiness in building custom scripts for real world scanning, at the same time fast enough to develop such custom scripts.

Halcyon is free to use, java based application that comes with code intelligence, code builder, auto-completion, debugging and error correction options and also a bunch of other features like other development IDE(s) has. This research was started to give better development interface/environment to researchers and thus enhance the number of NSE writers in the information security community.

URL: http://halcyon-ide.org/

Black Hat Arsenal survivorASIA 2016USA 2016

09- DataSploit

DataSploit utilizes various Open Source Intelligence (OSINT) tools and effective techniques and brings them all into one place, correlates the raw data captured and gives the user, all the relevant information about the domain / email / phone number / person, etc. DataSploit allows you to collect relevant information about a target which can expand your attack/defence surface very quickly.


Black Hat Arsenal survivorEurope 2016USA 2016

10- Lynis

Lynis is an open source security auditing tool. Used by system administrators, security professionals, and auditors, to evaluate the security defenses of their Linux/Unix-based systems. It runs on the host itself, so it performs more extensive security scans than vulnerability scanners.


Black Hat Arsenal survivorEurope 2014, Europe 2015, USA 2015, Europe 2016

ToolsWatch Best Tools : Rank 6 2013, Rank 3 2014, Rank 2 2015

10- Faraday

Faraday introduces a new concept (IPE) Integrated Penetration-Test Environment a multiuser Penetration test IDE. Designed for distribution, indexation and analysis of the generated data during the process of a security audit. The main purpose of Faraday is to re-use the available tools in the community to take advantage of them in a multiuser way.

URL: https://www.faradaysec.com

Black Hat Arsenal survivorUSA 2011, Europe 2015, USA 2015ASIA 2016, Europe 2016USA 2016

ToolsWatch Best Tools : Rank 4 2015

10- Sparta

SPARTA is a python GUI application which simplifies network infrastructure penetration testing by aiding the penetration tester in the scanning and enumeration phase. It allows the tester to save time by having point-and-click access to his toolkit and by displaying all tool output in a convenient way. If little time is spent setting up commands and tools, more time can be spent focusing on analysing results. Despite the automation capabilities, the commands and tools used are fully customisable as each tester has his own methods, habits and preferences.

URL: http://sparta.secforce.com/


Besides the Top 10, voters have mentioned the following tools (not sorted) and some made very decent scores

  • OWASP Dependency
  • OWASP JoomScan
  • ModSecurity
  • Android Tamer
  • BeeF
  • PEStudio
  • BloodHound
  • WPscan
  • Shelter AV Invasion
  • Responder
  • Needle

ToolsWatch Team

NJ Ouchn

"Passion is needed for any great work, and for the revolution, passion and audacity are required in big doses"