Security Tools We Actually Use

A short, curated list of the tools we reach for day-to-day at ThreatChain. No affiliate spam — only things we run ourselves for threat research, contract audits, and incident response.

🔎
OSINT · Recon

Shodan

Search engine for internet-connected devices. Finds exposed databases, ICS, RDP, and forgotten admin panels in seconds.

Every external-asset enumeration we do starts here. The CLI and API beat the web UI once you know what you're looking for.
shodan.io →
🕵️
OSINT · Recon

Censys Search

Continuous internet-wide scan with deep TLS / HTTP / JARM fingerprinting. Better for cert-based threat-actor pivots than Shodan.

When we need to pivot from one TLS cert to every host that shares it, Censys is faster than anything else.
search.censys.io →
Vulnerability · Scanner

Nuclei

Template-based vulnerability scanner from ProjectDiscovery. 9,000+ community templates covering CVEs, misconfigs, and takeovers.

We run nuclei on every in-scope target. Writing custom templates for novel CVEs takes 10 minutes.
github.com/projectdiscovery/nuclei →
🗡️
Web · App Testing

Burp Suite

The gold standard for web-app proxy / request tampering. Intruder, Repeater, and Collaborator are unmatched.

Pro tier is worth it. The Collaborator alone has caught blind SSRF we would have missed.
portswigger.net/burp →
🧪
Malware · Analysis

Any.Run

Interactive malware sandbox — watch a sample detonate in a real desktop VM and pivot on IOCs as they're generated.

Faster triage than a local VM. We attach TTPs from Any.Run runs to most ThreatChain malware articles.
any.run →
🧬
Malware · Analysis

Hybrid Analysis

Free automated sandbox run by CrowdStrike. Great for quick YARA matches and network IOC extraction.

Complements Any.Run when you need a second opinion or a static YARA verdict without interactive play.
hybrid-analysis.com →
🛡️
Smart Contract · Audit

Slither

Static analyzer for Solidity and Vyper from Trail of Bits. Catches 80+ bug classes faster than any manual review.

Our first pass on every smart-contract audit. SolidGuard builds on top of it with AI review.
github.com/crytic/slither →
⚗️
Smart Contract · Audit

Foundry

Modern Ethereum development toolkit — Forge for testing, Cast for chain calls, Anvil for local fork. Rust-fast.

We write fork-PoC exploits in Foundry to prove findings end-to-end. No tool beats it for mainnet forking.
book.getfoundry.sh →
🧠
Smart Contract · Audit

Mythril

Symbolic-execution engine for EVM bytecode. Finds integer overflows and reachability bugs that static tools miss.

Slow but deep. Worth running on high-value contracts when Slither comes back clean.
github.com/Consensys/mythril →
🔐
Password · Auth

Hashcat

GPU-accelerated password cracker supporting 350+ hash modes. The workhorse for every hash recovery job.

With a 4090, an 8-char bcrypt is recoverable in hours instead of weeks.
hashcat.net →
🧰
DFIR · Forensics

CyberChef

"The Cyber Swiss Army Knife" — 300+ operations for encoding, hashing, network, crypto, and binary analysis, chained visually.

Fastest way to decode a multi-stage obfuscated payload. Lives in the browser, works offline.
gchq.github.io/CyberChef →
🌐
DFIR · Network

Wireshark

Deep packet inspection. Reconstructs TCP streams, decodes TLS with keys, and has dissectors for virtually every protocol.

When an endpoint is weird, watch the wire. Every IR engagement we run has Wireshark open somewhere.
wireshark.org →
🧩
Reverse · Engineering

Ghidra

NSA's open-source RE suite — decompiler, disassembler, scripting in Java or Python, collaborative projects.

Free alternative to IDA Pro, and the decompiler output has genuinely caught up.
ghidra-sre.org →
🎯
AI · Security

ThreatChain SolidGuard

Yes, our own tool. AI-powered smart-contract auditor with 115 vulnerability detectors for Solidity, Rust, Move, Vyper, and Cairo.

We built it because we were tired of Slither's false positives and needed AI context. Free tier: 5 scans/day.
threatchain.io/solidguard →
Some links on this page may be affiliate links. ThreatChain may earn a commission at no extra cost to you. We only recommend tools we actually use and trust.