The Ultimate Blue Team Reference

This post is to serve as an ultimate blue team resource guide. Feel free to comment so we can add new links to make this post a one stop shop for all your blue team needs.

This post is currently a draft and will get updated in the future.


  1. Threat Hunting / Investigation Resources
  2. Threat Intelligence
  3. Security and Event Management Systems (SIEM)
  4. Log Sources
  5. Threat Detection
  6. Malware Analysis
  7. Educational Sites
  8. Blogs

1. Threat Hunting / Investigation Resources

  • LOLBAS - A repository of living off the land (LOL) binaries that threat actors can use to perform malicious actions. This repo is updated when new LOL binaries are found. This repo can be used to hunt malicious actions on your network, or be used to investigate triggered alerts.

  • GTFOBins - Same as above, for for Unix.

  • LOTS Project - Same as above but for trusted sites such as Google Drive.

  • FileSec - List of file extensions commonly used by threat actors.

  • MalAPI - List of Windows APIs mapped to common techniques used by malware.

  • xCyclopedia - Analysis/Library of every binary that may be on your typical operating systems. Very useful during investigations into unknown binaries.

  • Winbindex - A store of all Windows binaries which appear in Windows update packages. Very useful during investigations into unknown binaries and viewing changes made by Windows update service.

  • VirusTotal - File, hash and URL lookup, uses multiple AV engines to identify if a target is malicious. Community is useful for identifying unknown binaries. Additional tooling available for hunting and graphing.

  • Shodan - Search engine for internet facing devices. Can be used to monitor your external facing interfaces for misconfigurations and vulnerabilities.

  • DNS Twister - Put in a domain of your choice and find similar domains that can be used for typosquatting-type phishing or other nefarious activities.

2. Threat Intelligence

  • TweetDeck - Twitter, but in a dashboard format. Useful for quickly accessing relevant tweets. Can combine hashtags such as “#Phishing #CompanyName” to pinpoint threats. Can have multiple following lists for various subjects too.

  • Feedly - RSS feeds displayed in a nice format with useful tools for gathering IOC’s and MITRE mapping. Requires you to add your own sources (look at the blogs/rest of this section).

  • CVE Trends - Taking information from Twitter, CVE Trends maps popular CVEs to a dashboard, displaying the most talked about CVEs over a specified time period.

Threat Intelligence Feeds

  • Microsoft Security Update Guide - Microsoft vulnerability updates along with the related CVE and Microsoft Update

  • - One stop shop for multiple feeds and IOC types.

  • PhishTank - Site for users to upload known phishing sites. API can be used to gather known malicious URLs.

Threat Intelligence Tooling

  • MISP -

3. Security and Event Management Systems (SIEM) and Log Source

  • Splunk Enterprise - A tool for collecting, correlating and searching machine data. The many apps available for Splunk allow to easily be used as a SIEM solution, or as an investigative tool.

  • Elastic SIEM - A free to use and modify SIEM solution, using ELK stack with out-of-the-box detection rules aligned with the MITRE ATT&CK framework.

Additional Tooling

  • OsQuery - Open source platform allowing a user to query endpoint information such as running processes etc.

4. Log Sources

5. Threat Detection

  • MITRE ATT&CK Framework - Matrix of adversary tactics and techniques based on real-world observations, perfect for use-case creation and mapping.

  • Sigma - Ruleset to convert SIEM languages such as Splunk’s Search Language into a generic language that allows for sharing. You can find lots of pre-created searches and use cases on their repo.

  • HackTricks - Gitbook full of hacking techniques, methodologies and tools. Useful for identifying methods threat actors will utilise to get in, and laterally move inside your network.

6. Malware Analysis

  • FlareVM - Windows virtual machine with the tools to perfrom static and dynamic malware analysis. A VM every analyst / investigator should have in their toolbox.

  • Any.Run - Interactive sandbox with full process tree analysis in a live environment. Free and paid versions available.

  • Joes Sandbox - Automatic malware analysis sandbox, give it a file or URL, it will spit out a report telling you a risk score.

  • Cape Sandbox - Free open source sandbox, can use their online sandbox, or host your own instance to prevent files becoming public.

7. Educational Sites

  • TryHackMe - Great supply of educational CTF’s and learning paths for both blue team and red team. Free and paid for content. Laid out in an educational, easy to follow format. Great for getting started in cyber.

  • HackTheBox - Similar to TryHackMe. Plenty of CTF’s and other resources to get started in cyber. Might be a little difficult for complete beginners.

  • Splunk BOTS - Splunk put on a CTF style event called boss of the SOC a few times a year. Some of the past events, along with educational resources are available on their BOTS site. Take a look if you want a solid introduction to using Splunk to perform cyber investigations.

  • Sam’s Classes - Lecturer from CCSF who allows anyone to access his course content and join lectures. Great courses available ranging from blue to red.

  • Microsoft Learn - Microsoft’s learning platform filtered to the security engineer related courses. Useful for beginners who require knowledge on Windows services such as Active Directory or Azure.

8. Blogs

Blue Team

  • Red Canary - Solid blog covering threat intel and threat detection, should be on everyone’s subscription list.

  • Splunk Security Blog - Useful blog posts on various subjects from tooling to threat hunting. Be sure to check out their other categories too.

  • Elastic Security Blog - Technical blog by the Elastic security team. Content is transferable to other SIEM solutions too.

  • Microsoft Security Research - Technical blog made by Microsoft on defensive research.

  • Daniel Miessler - Security professional who started his site in 1999, vast amount of content. Also has a solid weekly newsletter you can subscribe to.

  • Lenny Zeltser - CISO of Axonius and Faculty Fellow at SANS Institute, sharing his knowledge on technical and non-technical elements of cyber.

  • ADSecurity - Everything Active Directory security. Not updated for a while however, content is still relevant today.

  • JPMinty - Great blog with lots of content, everything from cheat sheets to HackTheBox writeups. Checkout this cheat sheet for a solid digital forensics incident response process.

Purple/Red Team

  • Orange - Exploit developer, releasing POC’s and technical information on new exploits.

  • Sam Curry - Web Application Security Researcher, has good examples of hacking web apps and thinking outside the box.

  • Hausec - Cheat sheets, writeups and solid security content relevant to both blue and red teams.

  • Cyber Hacktics - Mostly CTF writeups, some good forensic content with other bits thrown in.