Security tools fall into four broad categories: detection and monitoring (see what is happening), hardening and prevention (make attacks harder to execute), forensics and incident response (investigate after the fact), and shell utilities (the everyday commands that underpin everything else). This page covers each category with practical examples.

Detection & Monitoring

Tools that watch network traffic and system behavior for signs of intrusion

Hardening & Prevention

Tools and techniques that reduce your attack surface

Forensics & Incident Response

Tools for collecting, preserving, and analyzing evidence

Shell Utilities

Bash and command-line tools essential for security work

Detection and monitoring

These tools implement your detective controls — they do not stop attacks, but they tell you an attack is occurring or has occurred.

Wireshark

Wireshark is a graphical network protocol analyzer. It captures packets on a live interface or reads from a saved .pcap file and decodes them into human-readable form. 
# Capture 100 packets on eth0 to a file (CLI equivalent using tcpdump)
tcpdump -i eth0 -c 100 -w capture.pcap

# Read a capture file
tcpdump -r capture.pcap
Use Wireshark to:
  • Inspect traffic for C2 (command-and-control) beacons
  • Identify plaintext credentials transmitted over unencrypted protocols
  • Reconstruct TCP streams to see what an attacker sent and received

Log analysis with grep and awk

System logs are your first source of evidence. grep lets you search them quickly. 
# Find all failed SSH login attempts in auth.log
grep "Failed password" /var/log/auth.log

# Find logins from a specific IP
grep "Failed password" /var/log/auth.log | grep "192.168.1.100"

# Count failed login attempts per source IP
grep "Failed password" /var/log/auth.log \
  | awk '{print $11}' \
  | sort | uniq -c | sort -rn

Intrusion Detection: Snort / Suricata

Network IDS tools like Snort and Suricata inspect traffic in real time and match it against rule sets describing known attack patterns. They generate alerts (and, in IPS mode, block traffic) without requiring you to manually read every packet.
Signature-based IDS catches known threats with high precision. Anomaly-based IDS can catch novel attacks but produces more false positives. Most production deployments use both.

Hardening and prevention

These are your preventive controls — they shrink the attack surface before an attacker can exploit it.

Firewall configuration (iptables / nftables)

A firewall enforces a policy about which traffic is allowed in and out. Default-deny is the correct posture: block everything, then explicitly permit what is needed. 
# Drop all incoming traffic by default
iptables -P INPUT DROP
iptables -P FORWARD DROP

# Allow established/related connections (responses to outbound requests)
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# Allow SSH only from a specific management subnet
iptables -A INPUT -p tcp --dport 22 -s 10.0.0.0/24 -j ACCEPT

# Allow HTTPS from anywhere
iptables -A INPUT -p tcp --dport 443 -j ACCEPT

Access control and least privilege

Run services under dedicated, unprivileged accounts: 
# Create a system account with no login shell for a service
useradd --system --no-create-home --shell /usr/sbin/nologin myservice

# Check what a process is running as
ps aux | grep myservice
Remove SUID/SGID bits from binaries that do not need them: 
# Find SUID binaries on the system
find / -perm -4000 -type f 2>/dev/null

# Remove SUID from a binary
chmod u-s /path/to/binary

Patch management

Unpatched software is the most common vulnerability exploited in real attacks. Keep systems current: 
# Debian/Ubuntu: check for and apply security updates
apt-get update && apt-get upgrade

# List packages with available security updates only
apt-get --just-print upgrade 2>/dev/null | grep -i security

# Check kernel version (compare against known CVEs)
uname -r

Multi-factor authentication (MFA)

MFA is one of the highest-value controls you can deploy. Even if an attacker obtains a valid password, they cannot authenticate without the second factor. Enforce MFA for:
  • All remote access (VPN, SSH, web-based admin panels)
  • All privileged accounts
  • All cloud console access

Forensics and incident response

These tools help you understand what happened after an incident. Always work on a forensic copy — never modify original evidence.

dd — disk imaging

dd creates a bit-for-bit copy of a disk or partition, preserving deleted files and unallocated space that a normal file copy would miss. 
# Create a forensic image of /dev/sdb, hashing it at the same time
dd if=/dev/sdb bs=4M | tee disk.img | md5sum > disk.img.md5

# Verify the image matches the original
md5sum disk.img
cat disk.img.md5
Always image the source device before doing any analysis. Even mounting a filesystem read-only can update access timestamps. Work from the image, not the original drive.

Volatility — memory analysis

Volatility is the standard tool for analyzing memory dumps. It extracts running processes, open network connections, loaded modules, and injected code from a raw memory image. 
# Identify the OS profile of a memory dump
volatility -f memory.img imageinfo

# List running processes
volatility -f memory.img --profile=Win10x64 pslist

# Show network connections at time of capture
volatility -f memory.img --profile=Win10x64 netscan

# Find injected code in process memory
volatility -f memory.img --profile=Win10x64 malfind

Autopsy — disk forensics

Autopsy is a graphical front-end for The Sleuth Kit that lets you browse a forensic disk image, recover deleted files, search for keywords, and build a timeline of filesystem activity. It is commonly used in CTF forensics challenges and real investigations alike.

FTK Imager

FTK Imager (Windows) creates forensic images in standard formats (E01, AFF, raw) with built-in hash verification. It can also mount images as read-only virtual drives for analysis without modifying the source.

Chain of custody

Document every action you take on evidence: 
# Hash a file before and after transport to prove it was not altered
sha256sum suspicious_file.exe > suspicious_file.exe.sha256
# ... transfer the file ...
sha256sum -c suspicious_file.exe.sha256

Shell utilities

These commands are the building blocks of security work on Linux and macOS. Knowing them well makes everything else faster.
ActionBash / ZshPowerShell equivalent
Print working directorypwdpwd
List filesls -lals -Force
Change directorycd /pathcd /path
Copycp src dstcp src dst
Move / renamemv src dstmv src dst
Delete (recursive)rm -rf dir/rm -Recurse -Force
Show manualman commandhelp command

Reading files

cat /etc/passwd           # Print entire file
less /var/log/syslog      # Page through a large file
tail -f /var/log/auth.log # Watch a log file grow in real time
head -n 20 access.log     # First 20 lines

grep — searching file content

grep searches for patterns (including regular expressions) inside files. It is essential for log analysis. 
# Basic pattern search
grep "error" /var/log/syslog

# Case-insensitive search
grep -i "failed" /var/log/auth.log

# Recursive search through a directory
grep -r "password" /etc/

# Show 3 lines of context around each match
grep -C 3 "segfault" /var/log/kern.log

# Invert match (show lines that do NOT match)
grep -v "^#" /etc/ssh/sshd_config

# Count occurrences
grep -c "GET /admin" /var/log/nginx/access.log

find — locating files

find traverses a directory tree to locate files by name, type, permission, or modification time. 
# Find all .log files under /var
find /var -name "*.log"

# Find files modified in the last 24 hours (useful post-incident)
find / -mtime -1 -type f 2>/dev/null

# Find SUID executables
find / -perm -4000 -type f 2>/dev/null

# Find files larger than 100MB
find /home -size +100M

Regular expressions (regex)

grep, sed, and most security tools accept regex patterns. The most useful symbols:
SymbolMeaning
.Any single character
*Zero or more of the preceding
+One or more of the preceding
?Zero or one of the preceding
^Start of line
$End of line
[abc]Any one of a, b, or c
[^abc]Any character except a, b, or c
[a-z]Any lowercase letter
a|bMatch a or b
# Find lines containing an IPv4 address pattern
grep -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' access.log

# Find lines starting with a timestamp (e.g. "Dec  8")
grep -E '^[A-Z][a-z]{2}\s+[0-9]' /var/log/syslog

Virtual machines with QEMU

QEMU lets you run virtual machines for safe malware analysis, CTF challenge environments, or testing firewall rules without risking your host system. 
# Boot an ISO installer
qemu-system-x86_64 -cdrom ubuntu.iso -m 2048 -hda disk.qcow2

# Run a VM with no network access (safe for malware analysis)
qemu-system-x86_64 -hda suspicious.qcow2 -m 1024 -net none

# Create a new disk image
qemu-img create -f qcow2 sandbox.qcow2 20G
For malware analysis, always run samples in an isolated VM with networking disabled (-net none). Take a snapshot before execution so you can restore a clean state and repeat the experiment.