Together we are strong

With a clear lack of GRC specialists on the market, we are building a first of its kind  Open source GRC library as part of our mission to democratize GRC, helping you to save time and build a strong community!

Subscribe to our newsletter and be the first to discover new content.


GPT Plugins*

Policy & Procedure generator

Nobody should be wasting time on reinventing the wheel, which is why we created a GPT* to generate lists of required policies and procedures and their content in line with the requirements you need to implement.

Brainframe ChatGPT plugin - Policy & Procedure Generator

Vulnerability insights

Every day thousands of vulnerabilities are discovered in different software solution, libraries and online services that define your level of exposure. To help you gain time, we created a GPT* that lists you all details

Brainframe ChatGPT plugin - Vulnerability insights

Your personal GRC tutor

You can't be perfect at everything from the start, especially not in the vast domain of GRC. This is why our tutor is there to help you improve your skills to help obtain related certifications. We highly recommend using this GPT* using your mobile device and use the conversation mode, so you can really be challenged in line with your expertise and in the domain of your choosing

Brainframe ChatGPT plugin - Your personal GRC tutor

NIS2 Implementation assistant 

Your personal assistant to guide you through the implementation of NIS2. Ask clarifications for specific concepts, requirements and best practices to help you efficiently implement the requirements of the directive

Brainframe ChatGPT plugin - NIS2 Implementation assistant

ISO27001:2022 Implementation assistant 

Your personal assistant to guide you through the implementation of ISO27001:2022. Ask clarifications for specific concepts, requirements and best practices to help you efficiently implement the requirements of the standard

Brainframe ChatGPT plugin - ISO27001 Implementation assistant

Or on your own with the ISACA implementation guide:

* Requires ChatGPT Plus subscription

Open source

Ready to use policies & procedures 

 A set of policies, standards and control procedures with mapping to ISO27001, GDPR, HIPAA, NIST CSF, PCI DSS, SOC2, FedRAMP, CIS Controls, and more.

Open in Github


Cyber security does not always need to be very expensive. Below is a curated list of open source or broad free usage tools you can use to improve your cyber posture

Network security & monitoring

  • Wireshark: A network protocol analyser used for network troubleshooting, analysis, and communication protocol development.
  • Snort: A network intrusion detection system (NIDS) capable of performing real-time traffic analysis and packet logging.
  • Bro/Zeek: A powerful network analysis framework that focuses on security
  • OpenNMS: An enterprise-grade network management application platform.
  • Nmap: A network scanner used for network discovery and security auditing
  • Nagios: A monitoring system that enables organizations to identify and resolve IT infrastructure problems.

Endpoint protection

  • Avast: Known for its solid protection against viruses and malware, including several features typically found in paid software. It includes a basic password manager, network security inspector, and even a hardened browser.
  • Malwarebytes: A very nice and complete malware solution that is free for personal use
  • AVG Antivirus: Now owned by Avast, offers similar protection to Avast. It's well-regarded for its effective detection of malicious software, user-friendly interface, and minimal impact on system performance.
  • Bitdefender:  Bitdefender is praised for its sleek design and minimalistic approach to antivirus protection.
  • Kaspersky: Kaspersky's free version provides top-rated malware protection along with extra features like a VPN and password manager
  • ClamAV: An antivirus engine designed for detecting Trojans, viruses, malware, and other malicious threats on mail gateways.
  • OSSEC: An open-source, host-based intrusion detection system (HIDS) that performs log analysis, file integrity checking, policy monitoring, rootkit detection, and real-time alerting.
  • Suricata: A high-performance network IDS, IPS, and network security monitoring engine.
  • Wazuh: A security monitoring tool that provides host-based intrusion detection.
  • chkrootkit: A tool to locally check for signs of a rootkit.
  • Rkhunter: A Unix-based tool for scanning backdoors, rootkits, and local exploits.
  • virustotal: Website to quickly scan any file/url for viruses/malware using many different anti-virus solutions
  • Lookyloo: Check and review URLs and website and visualize their behaviour.

Email security

  • GoPhish - A powerful phishing framework that makes it easy to test your organization's exposure to phishing
  • SpamAssassin: A widely used tool for filtering and identifying spam. It uses a variety of spam detection techniques including DNS-based and fuzzy-checksum-based spam detection, Bayesian filtering, external programs, blacklists, and online databases.
  • DKIM - Not really a tool, but so essential and free to implement
  • DMARC - Similar to DKIM, not a tool but essential
  • Pandora - quick, private and simple suspicious document analysis.  (you can also just forward a mail to,  [email protected] and receive a full analysis)

Source code analysis (SAST/SCA/Mobile)

  • Snyk: Scan your own code and 3rd party code as well as your infrastructure code for vulnerabilities
  • SonarQube:  A widely used tool for continuous inspection of code quality. It performs automatic reviews to detect bugs, code smells, and security vulnerabilities.
  • Brakeman: a static analysis tool specifically designed for Ruby on Rails applications. It scans Rails applications for security vulnerabilities.
  • Bandit: A tool designed to find common security issues in Python code. It processes each file, builds an AST from it, and runs appropriate plugins against the AST nodes.
  • FindSecBugs: A security-specific plugin for SpotBugs (formerly FindBugs), which is used for Java programs. It can identify security flaws in Java applications.
  • ESLint: Statically analyzes your code to quickly find problems. It is built into most text editors and you can run ESLint as part of your continuous integration pipeline.
  • OWASP Dependency-Check: Dependency-Check is a Software Composition Analysis (SCA) tool that attempts to detect publicly disclosed vulnerabilities contained within a project’s dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries.
  • Retire.js: Focused on JavaScript, Retire.js identifies the use of JavaScript libraries with known vulnerabilities.
  • OSS Index: A free service by Sonatype, which provides information about known vulnerabilities in open-source software components.

Web application security and vulnerability management

  • OWASP ZAP: A penetration testing tool for finding vulnerabilities in web applications.
  • SQLMap: An automated tool for SQL injection and database takeover.
  • Nikto: A web server scanner which performs comprehensive tests against web servers.
  • Arachni: A feature-full, modular, high-performance Ruby framework aimed at web application security testing.
  • w3af: A web application attack and audit framework for web application security testing.
  • OpenVAS: A framework of several services and tools offering vulnerability scanning and management.
  • MobSF - Mobile Security Framework (MobSF) is a security research platform for mobile applications in Android, iOS and Windows Mobile. MobSF can be used for a variety of use cases such as mobile application security, penetration testing, malware analysis, and privacy analysis
  • Nessus Essentials: A widely used vulnerability scanner with high-speed discovery, configuration auditing, and sensitive data discovery
  • Burp Suite Free Edition: An integrated platform for performing security testing of web applications.
  • Metasploit Framework: A tool for developing and executing exploit code against a remote target machine.
  • PwnDoc - A pentest reporting application making it simple and easy to write your findings and generate a customizable Docx report

Security Information and Event Management (SIEM)

  • ELK Stack: A collection of three open-source tools (Elasticsearch, Logstash, Kibana) for searching, analyzing, and visualizing data in real-time.
  • OSSIM: A SIEM software that provides threat detection, incident response, and compliance management.
  • Graylog: A log management and analysis tool for security and debugging.
  • Apache Metron: Integrates a variety of open source big data technologies to offer a centralized tool for security monitoring and analysis.

Password managers

  • Passbolt - Password manager built for organizations that take their security and privacy seriously
  • KeePass: A password manager helping you to manage your passwords securely.
  • Bitwarden: a free and open-source password management service that stores sensitive information in an encrypted vault. It is known for its ease of use and cross-platform compatibility.

Incident response/Risk assessment/Threat intelligence

  • AWS Kill switch - a Lambda function (and proof of concept client) that an organization can implement in a dedicated "Security" account to give their security engineers the ability to quickly deploy restrictions during a security incident
  • TheHive - Open source and free Security Incident Response Platform designed to make life easier for SOCs, CSIRTs, CERTs and any information security practitioner dealing with security incidents that need to be investigated and acted upon swiftly
  • Cortex - Tries to solve a common problem frequently encountered by SOCs, CSIRTs and security researchers in the course of threat intelligence, digital forensics and incident response: how to analyze observables they have collected, at scale, by querying a single tool instead of several
  • MISP: A platform for sharing threat intelligence and malware information.
  • Monarc: A tool and a method allowing an optimised, precise and repeatable risk assessment.
  • Yeti: Aims to bridge the gap between CTI and DFIR practitioners by providing a Forensics Intelligence platform and pipeline for DFIR teams

Feel free to suggest things we can list on our community page that will help people improve their security:

Provide the URL and description of the content you think can support our GRC community, and we'll add it to our page

Personal data collected will be processed in line with our privacy policy
Separate email addresses with a comma.