CyberChef is a threat hunting tool that is well-known across the security profession. Released by the secretive agency known as GCHQ in 2016, the tool is designed for analyzing and decoding data. What data you ask? While its was very robust at launch it has only grown in capabilities. Whether you want to decode XOR, Base64, or something more exotic like the Bacon Cipher, CyberChef can do it with ease. The tool can also automatically detect various types of nested encoding in data.

RSS Readers

This isn’t so much as a single threat hunting tool, but rather a threat hunting tool category: really simple syndication (RSS) readers. Almost every hunter we spoke with emphasized how important keeping up on the news is for a hunter. We aren’t talking about CNN headlines though. Instead, they all emphasized the importance of following popular security sites for industry news. Several hunters also suggested following vendors’ sites that announce vulnerabilities and patches. Some other hunters made following red teaming and exploit publishing sites a priority.

Phishing Catcher

Phishing remains on of the biggest threats to organizations. It is no surprise then that threat hunters recommended the proactive threat hunting tool Phishing Catcher. Phishing Catcher is an open source tool used to detect phishing domains in near real time. How does it do this?


Another threat hunting tool for catching suspicious domains that hunters recommended was DNSTwist. DNSTwist is a very powerful tool that uses various fuzzing algorithms to detect suspicious domains. DNSTwist can identify mistyped domains, homoglyphs, and internationalized domain names (IDN). It can also detect live phishing pages and geo locate all its results to identify strange outliers.


One threat hunting tool that got rave reviews from threat hunters was a simple tool dating back to 1986: gnuplot! Gnuplot is an open source tool that allows plotting of data on two and three dimensions. Why do threat hunters need tools like gnuplot?


One hunter aptly described AttackerKB as “the yelp of exploits,” and they weren’t wrong. AttackerKBis a threat hunting tool that provides everything adversaries, and their hunters, need to understand exploits. This includes disclosure, technical analysis, outcomes, exploitability, ease of use and much more.


One of the most common threat hunting tools mentioned by hunters was YARA. YARA is tool with an interesting legacy. While it’s original purpose was for malware classification, the format has become popular choice for hunters. This is because rules written in the YARA format are ingestible by security controls for malware detection. The rules can also be used on sites like VirusTotal to find specific malware or even sensitive company documents.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Cyborg Security

Cyborg Security


Cyborg Security is a pioneer in cybernetic threat hunting, delivering an advanced, actionable threat hunting platform.