Pentesting tools
April 25, 2026•76 words
Static analysis
- SonarQube https://www.sonarsource.com/
FOSS
- ZAP https://github.com/zaproxy/zaproxy
- Nuclei https://github.com/projectdiscovery/nuclei
- Nettacker https://github.com/OWASP/Nettacker
- Nikto https://github.com/sullo/nikto
- Arachni https://github.com/Arachni/arachni
- Wapiti https://github.com/wapiti-scanner/wapiti
- Threatmapper https://github.com/deepfence/ThreatMapper
Fremium
- Burp https://portswigger.net/burp
- Caido https://github.com/caido/caido
- Metasploit https://www.metasploit.com/
Paid only
- Invicti https://www.invicti.com/
- Nessus https://www.tenable.com/products/nessus
- Acutenix https://www.acunetix.com/
- Proxyman https://proxyman.com/
Specialised
- nmap (scanning) https://nmap.org/
- Sqlmap (sql) https://sqlmap.org/
- ffuf (fuzzer) https://github.com/ffuf/ffuf
- Gobuster (brute-force) https://github.com/OJ/gobuster
- Dalfox (xss) https://github.com/hahwul/dalfox
courses
Pentesting: