Skip to main content
7 min read Beginner

About PentestingEverything

🔜 Upcoming New Resources soon!
Your ideas, suggestions, and contributions are always welcome!
  • New Module: Leveraging AI in Pentesting
Recently Updated Content : 2026
  • iOS Pentesting Module
  • Android Pentesting
  • API Pentesting Module
  • SAST / Source Code Review
  • DevSecOps & SCA
  • Thick Client Pentesting
  • OWASP Top 10:2025 Web Application
  • Threat Modeling, Design Review, Idea Review, Architecture Review
  • New Module : LLMs OWASP Top 10
  • New Module : MCP Pentesting
  • New Module : Firewall (In progress)
Improvements and advance technique
  • More methods for SSL Pinning bypass and exploitation
  • Intercepting mobile TCP traffic using iptables and invisible proxying
  • Comprehensive enumeration with Frida and object analysis (Local Storage, Classes, Methods, Activities, Services, Intents, Receivers, etc.)
  • Exploiting Android components using ADB and Drozer
  • Advanced SAST beyond MobSF
Currently Exploring & Seeking Collaboration

Contributions and knowledge sharing are welcome from professionals experienced in Cloud and Enterprise Infrastructure Pentesting.

  • Cloud Pentesting
  • Enterprise Pentesting (Network, Firewall, WiFi & Configuration Review)

0.1. Table of Contents

No.Types of PentestingNo.Types of Pentesting
1Web Application Pentesting13MCP Security Assessment
2API Pentesting14LLM Security Assessment
3Mobile Pentesting15Threat Modeling
4Thick Client Pentesting16Configuration Review
5Secure Code Review17Container & Kubernetes Assessment
6Cloud Pentesting18CI/CD Pentesting
7DevSecOps19IoT Pentesting
8Network Pentesting20BlockChain Pentesting
9Wi-Fi Pentesting21Phishing Assessment
10Firewall Penetration22OSINT
11Active Directory Pentesting23Forensic
12Infrastructure Security

Pentesting & Tools

40 Plus Type of Security Assessment Tools

1. Penetration Testing and Tools

CategoryTools
Web Application PentestingAcunetix, Burp Suite Professional, Dirb, FFUF, Nmap, Nikto, Nuclei, OWASP ZAP, SQLMap, WhatWeb, WPScan, Invicti (Netsparker), Fortify WebInspect
Android Securityadb, APKTool, Apkscan, AndroBugs, Android Studio / Genymotion, AppMon, Dexter/Objection (Objection), Drozer, Frida, Magisk, MITMProxy, MobSF, Quark Engine, JADX
iOS Securitycheckra1n, Class-dump, Frida, iMazing, iOS-decrypt, iOS-Hook, MobSF, Needle, Objection, Palera1n, Passionfruit, SSL Kill Switch 2, Cycript
API PentestingBurp Suite Professional, GraphQL Raider, GraphQL Voyager, Insomnia, Kite Runner, Postman, Swagger UI
Secure Code ReviewBandit, Checkmarx, CodeQL, FindSecBugs, Gitleaks, Semgrep, SonarQube, Snyk, Veracode, Fortify Static (Workbench/Audit)
Thick-Client SecurityBurp Suite Professional, dnSpy, de4dot, Fiddler, Ghidra, IDA Pro, OllyDbg, Process Explorer, x64dbg, CFF Explorer, Sysinternals Suite, Wireshark
Network PentestingBettercap, CrackMapExec, Metasploit, Netcat, Nessus, Nmap, OpenVAS, Responder, Wireshark

2. Extended version

CategoryTools
Active Directory PentestingBloodHound, Mimikatz, CrackMapExec, Impacket, Kerbrute, Rubeus, LDAPDomainDump, SharpHound, PowerView, ADRecon
Cloud SecurityProwler, ScoutSuite, CloudSploit, Pacu, Steampipe, CloudMapper, NCC Scout, kube-bench, Terrascan, KICS
IoT SecurityFirmwalker, Binwalk, Firmware-Mod-Kit, Shodan, RIOT, JTAGulator, Qiling, Ghidra, Avatar2, Firmadyne
Firewall Pentestinghping3, NPing, Scapy, Zmap, firewalk, FTester, Nmap (Firewall Bypass), Packet Sender, T50, Ettercap, TCPReplay
Firmware AnalysisBinwalk, Firmware Analysis Toolkit (FAT), QEMU, Ghidra, IDA Pro, Firmware-Mod-Kit, Radare2, Firmadyne
Container SecurityTrivy, Aqua Microscanner, Clair, Anchore, Docker Bench, kube-hunter, Falco, Sysdig, Snyk, Grype
WiFi PentestingAircrack-ng, Kismet, Bettercap, Reaver, Fluxion, Wireshark, hcxtools, Fern WiFi Cracker, Wifiphisher, Hashcat
DevSecOpsGitHub Advanced Security, Trivy, Snyk, Anchore, OWASP Dependency-Check, Jenkins, Checkmarx, Veracode, Dagda, Sysdig Secure, Cloud Custodian, Bridgecrew, Kubescape
OSINTtheHarvester, Maltego, SpiderFoot, Recon-ng, Shodan, FOCA, Google Dorks, OSINT Framework, GHunt, Sherlock, PhoneInfoga
Configuration ReviewLynis, OpenSCAP, Auditd, Tripwire, cis-cat Pro, Chef InSpec, Prowler, Kubescape
Phishing SimulationGoPhish, SET, Evilginx2, Phishery, King Phisher, Modlishka, Phishing Frenzy
ForensicsAutopsy, Volatility, Sleuth Kit, FTK Imager, Redline, Magnet AXIOM, X-Ways, Bulk Extractor, ExifTool
Blockchain SecurityMythril, Slither, Manticore, Remix IDE, Oyente, SmartCheck, Echidna, Tenderly
Threat ModelingMicrosoft TMT, OWASP Threat Dragon, IriusRisk, SeaSponge, Draw.io, Pytm
Red Team ToolsCobalt Strike, Sliver, Mythic, Empire, Metasploit, Brute Ratel, Koadic, FudgeC2, Nishang, PowerShell Empire
Blue Team ToolsVelociraptor, Wazuh, OSQuery, GRR, Sysmon, CrowdStrike Falcon, Elastic Security, Sigma Rules
SIEM & Log AnalysisSplunk, ELK Stack, Graylog, Wazuh, AlienVault OSSIM, SIEMonster, Logstash, Fluentd, Loki, Falco, Humio, Kibana, Loggly, Logz.io
Password CrackingHashcat, John the Ripper, Hydra, CrackStation, Cain & Abel, Medusa, THC-Hydra
Reverse EngineeringGhidra, IDA Pro, x64dbg, OllyDbg, Binary Ninja, Radare2, Cutter
Hardware HackingChipWhisperer, Saleae Logic, OpenOCD, JTAGulator, Bus Pirate, Flashrom, Arduino, Raspberry Pi, RTL-SDR
Social EngineeringSET, BeEF, King Phisher, Evilginx / Evilginx2, Modlishka, EyeWitness, PhishToolkit, PhishX, Psychological Frameworks (Pretexting, Elicitation)
SCADA/ICS SecuritySnort, Wireshark, ModScan, ModbusPal, Scadafence, OpenPLC, GasPot, Conpot, PLCScan
Supply Chain SecuritySnyk, OWASP Dependency-Check, Trivy, Syft, Grype, CycloneDX, Whitesource, Anchore Engine
Email Security TestingGoPhish, Modlishka, SMTPTester, MailSniper, Evilginx2, Phish5, Email Header Analyzer
Mobile Malware AnalysisAPKTool, MobSF, Jadx, Frida, VirusTotal Mobile, Droidbox, Bytecode Viewer, Drozer, Quark-Engine
AI/ML SecurityAdversarial Robustness Toolbox (ART), TextAttack, Foolbox, IBM AI Explainability 360, CleverHans, Alibi Detect, SecML, DeepExploit
Security Automation / SOARStackStorm, Cortex XSOAR, Shuffle, DFIR-IR-Playbook, Phantom Cyber, Tines
Bug Bounty ToolkitAmass, Sublist3r, Nuclei, HTTPX, Naabu, FFUF, GF, Dalfox, Kiterunner, Hakrawler, JSParser, ParamSpider
Credential Dumping & CrackingLaZagne, Mimikatz, Hashcat, John the Ripper, Windows Credential Editor, CrackMapExec, GetNPUsers.py
Payload GenerationMSFVenom, Unicorn, Shellter, Veil, Nishang, Empire, Obfuscation.io, Metasploit, Donut
Honeypots / DeceptionCowrie, Dionaea, Kippo, Honeyd, T-Pot, Conpot, Canarytokens, Artillery
MacOS SecurityKnockKnock, BlockBlock, OSXCollector, Objective-See Suite, MacMonitor, Little Snitch, Dylib Hijack Scanner
Windows Post-ExploitationPowerView, Seatbelt, SharpUp, WinPEAS, Sherlock, Empire, FireEye Red Team Tools, SharpHound
Linux Post-ExploitationLinPEAS, Linux Exploit Suggester, pspy, Chkrootkit, rkhunter, bashark, GTFOBins, Sudomy
Browser Security TestingBeEF, XSStrike, XSSer, Burp Collaborator, NoScript, uBlock Origin, Chrome Developer Tools

2.1. 👨‍💻Contributors👩‍💻

I appreciate your interest in contributing! please read Contribution Guidelines.

A heartfelt thanks to the amazing individuals for their contributions to this project. You can view emoji key to see the various ways you can contribute!

Marko Živanović
Marko Živanović
🔧		 Madhurendra kumar
Madhurendra kumar
💻		 0xanon
0xanon
💻		 InfoBugs
InfoBugs
💻		 Ratnesh kumar
Ratnesh kumar
💻		 Chandrabhushan Kumar
Chandrabhushan Kumar
💻		 Satya Prakash
Satya Prakash
💻 👀
Wei Lin
Wei Lin
🌍

2.2. Star History

Star History Chart

Support:

m14r41