Pentesting tools

August 8, 2025•94 words

Static analysis

SonarQube https://www.sonarsource.com/

FOSS

ZAP https://github.com/zaproxy/zaproxy
Nuclei https://github.com/projectdiscovery/nuclei
Nettacker https://github.com/OWASP/Nettacker
Nikto https://github.com/sullo/nikto
Arachni https://github.com/Arachni/arachni
Wapiti https://github.com/wapiti-scanner/wapiti
Threatmapper https://github.com/deepfence/ThreatMapper

Fremium

Paid only

Invicti https://www.invicti.com/
Nessus https://www.tenable.com/products/nessus
Acutenix https://www.acunetix.com/
Proxyman https://proxyman.com/

Specialised

nmap (scanning) https://nmap.org/
Sqlmap (sql) https://sqlmap.org/
ffuf (fuzzer) https://github.com/ffuf/ffuf
Gobuster (brute-force) https://github.com/OJ/gobuster
Dalfox (xss) https://github.com/hahwul/dalfox

My stack

SAST: Semgrep, Opengrep, Aikido, Claude
DAST: Burp Suite
SCA: snyk.io
Misc: Insomnia

courses
Pentesting:

https://www.offsec.com/products/oscp-plus/

👍❤️🫶👏👌🤯🤔😂😍😭😢😡😮

Subscribe to the author

You'll only receive email when they publish something new.

More from Kevin
All posts

XSS - Security Awareness

January 22, 2026•1,252 words

Following is a small educational content I made for educating devs at my company. Video https://drive.proton.me/urls/ZHJBA1MSZ8#sTJuTPKViUko Script This video's topic is cross-site scripting, aka XSS. XSS is a vulnerability where attacker-controlled input is executed in a user’s browser, often as HTML or JavaScript. In other words, the application treats untrusted input as code rather than as data. A simple example is a website that asks for a name or surname. Instead of entering a normal ...