Share
## https://sploitus.com/exploit?id=D0E8ECCE-3996-5262-972C-FC43595E0E65
# Red Team Toolkit

> Curated operator catalog for red team engagements. **251 tools** across **22 categories**, plus a **64-step engagement workflow** and a **trending-PoC tracker** updated weekly.

Maintained by [@mr4dot](https://github.com/mr4dot). PRs welcome.

## Download

- **[RT_Toolkit_Catalog.xlsx](RT_Toolkit_Catalog.xlsx)** โ€” styled, filterable, color-coded by tier. Open in Excel / LibreOffice / Google Sheets.
- **[build_rt_toolkit_xlsx.py](build_rt_toolkit_xlsx.py)** โ€” the builder. Edit the `TOOLS` / `WORKFLOW` / `POC_TRACKER` lists and re-run to regenerate everything.

## Tier legend

| Tier | Meaning |
|---|---|
| **S** | Must-have. Install on every ops box, day one. |
| **A** | Strong. Install when category is in scope. |
| **B** | Situational. Be aware; install on demand. |

## Table of contents

- [Engagement workflow (must-do checklist)](#engagement-workflow)
- [Trending PoCs & named vulns](#trending-pocs--named-vulns)
- [Tool catalog](#tool-catalog)
  - [Recon & OSINT](#recon-osint)
  - [Code & Secret Search](#code-secret-search)
  - [Company & People Intel](#company-people-intel)
  - [Internet-Wide Search](#internet-wide-search)
  - [Subdomain & Asset](#subdomain-asset)
  - [Web App / API](#web-app-api)
  - [Phishing & IA](#phishing-ia)
  - [C2 Frameworks](#c2-frameworks)
  - [AD Enum & Attack](#ad-enum-attack)
  - [Creds & Cracking](#creds-cracking)
  - [Priv Esc](#priv-esc)
  - [Lateral Movement](#lateral-movement)
  - [Tunneling & Pivoting](#tunneling-pivoting)
  - [EDR Evasion](#edr-evasion)
  - [Cloud / Identity](#cloud-identity)
  - [Container / K8s](#container-k8s)
  - [Mobile](#mobile)
  - [Wireless & Physical](#wireless-physical)
  - [Reverse Engineering](#reverse-engineering)
  - [Reporting](#reporting)
  - [References & Lists](#references-lists)
  - [Intel & PoC Watch](#intel-poc-watch)

## Engagement workflow

Copy this section per engagement and check items off as you go. 9 phases, 64 steps.


### 1. Pre-Engagement

| # | Action | Tool / Service | Notes |
|---|---|---|---|
| 1 | Signed SoW + authorization letter in hand | `โ€”` | Non-negotiable; never start without it |
| 2 | Get exact in-scope IPs/CIDRs/domains/cloud tenants/subsidiaries | `Client` | Document; over-scope = legal risk |
| 3 | Get exclusion list (sensitive servers/IPs/people) | `Client` | Common: DR sites, exec workstations, payment infra |
| 4 | Define RoE: hours, OOH allowed, SE allowed, physical allowed, DoS forbidden | `Doc` | Sign-off in writing |
| 5 | Get escalation contacts + emergency stop procedure | `Client` | Name, phone, off-hours number |
| 6 | Set up isolated ops VPS + redirectors | `DigitalOcean/Vultr/Linode` | Never run C2 from your home IP |
| 7 | Create engagement Obsidian vault + Ghostwriter project | `Obsidian, Ghostwriter` | Templates ready before day 1 |

### 2. External Recon

| # | Action | Tool / Service | Notes |
|---|---|---|---|
| 1 | Subdomain enum: passive then active | `subfinder, amass, crt.sh` | Always cert-transparency first |
| 2 | Probe + fingerprint all live hosts | `httpx, nuclei` | Tag CMS/edge/auth tech |
| 3 | Port-scan in-scope CIDRs | `naabu -> nmap -sCV` | Naabu for breadth, nmap for depth |
| 4 | Search Shodan/Censys/FOFA for org assets | `Shodan, Censys, FOFA` | ssl.cert.subject.CN / org name queries |
| 5 | Map ASN -> ranges -> related orgs | `asnmap, bgp.he.net` | Catches forgotten infra |
| 6 | Pull historical DNS / dropped subdomains | `SecurityTrails, ViewDNS` | Dropped names often reused |
| 7 | Cert-transparency monitoring set up | `crt.sh, cert.sh API` | Catch infra spinning up mid-engagement |
| 8 | Fingerprint tech stack of public sites | `BuiltWith, Wappalyzer` | Informs exploit selection |
| 9 | Pull URLs from Wayback / OTX / CC | `gau, waybackurls, katana` | Old endpoints = old auth = often broken |
| 10 | nuclei full-scan in-scope assets | `nuclei` | All severity; triage to True Positives |

### 3. People & Company Intel

| # | Action | Tool / Service | Notes |
|---|---|---|---|
| 1 | LinkedIn org scrape -> name list | `LI Sales Nav, Phantombuster` | Roles + dept structure |
| 2 | Email pattern discovery + verification | `Hunter.io, Apollo.io, snov.io` | Confirm format before spray |
| 3 | Build target list: VIP / IT / finance / HR | `Spreadsheet` | Tier by phishing value |
| 4 | Check domain on DeHashed/LeakCheck/HIBP | `DeHashed, LeakCheck, HIBP` | Pull historic creds for spray |
| 5 | Pull stealer-log triples (email:pass:URL) | `HIBP Pwned 5, DeHashed` | Targets active sessions/services |
| 6 | Check subsidiaries / parent / recent M&A | `Crunchbase, OpenCorporates` | Often forgotten attack surface |
| 7 | Map physical addresses (for SE / physical) | `Google Maps, LI office page` | Only if in scope |

### 4. Code & Secret Hunting

| # | Action | Tool / Service | Notes |
|---|---|---|---|
| 1 | GitHub org code search for secrets | `grep.app, GH advanced search, GitDorker` | AKIA, BEGIN RSA, internal hostnames |
| 2 | Scan org repos with secret scanners | `Trufflehog, Gitleaks, Noseyparker` | Verified results only |
| 3 | Check publicwww for org JS / inline keys | `publicwww` | Internal API keys leak to frontends |
| 4 | GitHub Actions / CI enum | `Gato` | Pipeline takeover paths |
| 5 | Search past employees' personal repos | `GitHub user search` | Departures leak more than orgs |
| 6 | Check pastebin / ghostbin archives | `IntelX, urlscan` | Old paste dumps |

### 5. Initial Access

| # | Action | Tool / Service | Notes |
|---|---|---|---|
| 1 | Phishing infra: domain + warming + redirector | `dnstwist, Evilginx3, GoPhish` | Domain age >2 weeks ideal |
| 2 | Test SPF/DMARC of target | `espoofer, MXToolbox` | Determines spoof viability |
| 3 | Stealer-log + breach cred password spray | `TeamFiltration, MSOLSpray, TrevorSpray` | Check lockout policy first |
| 4 | Spray external auth surfaces (VPN/OWA/Citrix) | `nxc, custom` | Slow + low; respect lockout |
| 5 | Public-vuln exploitation from nuclei findings | `nuclei + manual triage` | Only after manual confirm |
| 6 | MFA-bypass phishing campaign | `Evilginx3 + crafted lures` | Use TeamFiltration tenant intel |

### 6. Post-Ex / Internal Recon

| # | Action | Tool / Service | Notes |
|---|---|---|---|
| 1 | Host triage: identify EDR + AV | `SharpEDRChecker, Seatbelt` | Know what's watching |
| 2 | Privesc enumeration | `WinPEAS / LinPEAS / Seatbelt` | Run early; quick wins |
| 3 | Dump LSASS in-memory | `nanodump + pypykatz offline` | Avoid procdump |
| 4 | Network-wide DPAPI loot | `DonPAPI / Hekatomb` | Browser/RDP/wifi creds |
| 5 | Internal Responder + mitm6 (passive listen) | `Responder, mitm6 + ntlmrelayx` | Coffee-break creds |
| 6 | SharpHound collection (all) | `SharpHound CE` | Upload to BloodHound CE |
| 7 | Find SMB share secrets | `Snaffler, ManSpider` | Often instant DA path |
| 8 | AD CS enumeration (ESC1-15) | `Certipy find -vulnerable` | Quickest DA in 2025+ |
| 9 | PingCastle quick audit | `PingCastle` | Validation pass for missed paths |

### 7. Lateral & Domain Dominance

| # | Action | Tool / Service | Notes |
|---|---|---|---|
| 1 | Pivot infra: ligolo-ng over C2 | `ligolo-ng, chisel` | Full subnet pivot, no proxychains pain |
| 2 | Coerce + relay to escalate | `Coercer + ntlmrelayx/bloodyAD` | Always-try: PetitPotam, DFSCoerce |
| 3 | Kerberoast + AS-REP roast all valid | `Rubeus, GetUserSPNs.py` | Crack offline |
| 4 | Cert-based domain takeover | `Certipy` | ESC1/ESC8 = instant DA usually |
| 5 | DCSync to confirm DA equivalence | `secretsdump, mimikatz lsadump::dcsync` | Proof for report |
| 6 | Forest / cross-domain enumeration | `BloodHound 'Cross-domain edges'` | If multi-domain in scope |

### 8. Cloud / O365 (if scoped)

| # | Action | Tool / Service | Notes |
|---|---|---|---|
| 1 | Tenant ID + federation type lookup | `AADInternals, TeamFiltration` | Decide spray vs phish |
| 2 | Entra full enum (users/groups/apps/roles) | `ROADrecon` | Map post-foothold |
| 3 | AzureHound -> BloodHound | `AzureHound` | Path to GA / subscription owner |
| 4 | Post-token: M365 exfil / hunt | `GraphRunner` | Email/SharePoint/Teams sweep |
| 5 | AWS: CloudFox -> Pacu | `CloudFox, Pacu` | Standard AWS post-compromise |

### 9. Reporting & Closeout

| # | Action | Tool / Service | Notes |
|---|---|---|---|
| 1 | Screenshot every milestone (timestamped) | `ShareX, Greenshot` | No screenshot = didn't happen |
| 2 | Map every TTP used to MITRE ATT&CK | `ATT&CK Navigator` | Client expects this |
| 3 | Severity per finding (CVSS + business) | `Report template` | Business context > raw CVSS |
| 4 | Write remediation w/ code/config snippets | `Report template` | Generic remediation = bad report |
| 5 | Executive summary (1-page, non-technical) | `Report template` | Often the only page read |
| 6 | Attack-path diagram | `draw.io, Excalidraw` | Story-tells the breach |
| 7 | Remove implants, accounts, certs, persistence | `Cleanup script` | Confirm in writing with client |
| 8 | Schedule retest window if in scope | `Calendar` | Often billable |

## Trending PoCs & named vulns

Update weekly from sources in the [Intel & PoC Watch](#intel--poc-watch) section.

| Date | CVE / ID | Nickname | Type | Affected | Severity | PoC |
|---|---|---|---|---|---|---|
| 2024-04-12 | `CVE-2024-3400` | **GlobalProtect 0day** | Pre-auth RCE | Palo Alto GlobalProtect | Crit | [link](https://github.com/h4x0r-dz/CVE-2024-3400) |
| 2024-02-19 | `CVE-2024-1709` | **SlashAndGrab** | Auth bypass | ConnectWise ScreenConnect | Crit | [link](https://github.com/W01fh4cker/ScreenConnect-AuthBypass-RCE) |
| 2023-10-10 | `CVE-2023-4966` | **Citrix Bleed** | Session hijack | NetScaler ADC / Gateway | Crit | [link](https://github.com/assetnote/exploits/tree/main/citrix) |
| 2024-04-19 | `CVE-2024-4040` | **CrushFTP VFS escape** | Auth bypass | CrushFTP  shellcode converter | `BSD-3` | Foundation for most loaders |
| **S** | [EDRSandblast](https://github.com/wavestone-cdt/EDRSandblast) | Userland + kernel EDR bypass | `GPL-3.0` | BYOVD + unhooking |
| **S** | [EDRSilencer](https://github.com/netero1010/EDRSilencer) | WFP-based EDR network silencing | `MIT` | Blocks EDR telemetry to cloud (S1-relevant) |
| **S** | [Maldev-Academy](https://github.com/Maldev-Academy) | Modern maldev technique reference repos | `MIT` | Study, don't copy-paste |
| **S** | [SysWhispers3](https://github.com/klezVirus/SysWhispers3) | Direct/indirect syscalls in C/ASM | `MIT` | Standard for syscall loaders |
| **A** | [Acheron](https://github.com/f1zm0/acheron) | Indirect syscalls + AMSI/ETW patch (Go) | `GPL-3.0` | Drop-in for Go implants |
| **A** | [AMSI.fail](https://amsi.fail/) | AMSI bypass generator (web) | `Free` | Quick obfuscated bypass strings |
| **A** | [Freeze](https://github.com/optiv/Freeze) | Payload loader using suspended processes | `MIT` | Bypasses many userland hooks |
| **A** | [HellsHall](https://github.com/Maldev-Academy/HellHall) | Indirect syscall technique (modern) | `MIT` | Evolution of HellsGate/TartarusGate |
| **A** | [Inceptor](https://github.com/klezVirus/inceptor) | Modular AV/EDR evasion compiler | `GPL-3.0` | Wraps Donut/sgnLoader/etc. |
| **A** | [Invoke-Obfuscation](https://github.com/danielbohannon/Invoke-Obfuscation) | PowerShell obfuscation framework | `Apache-2.0` | Classic; still effective with tweaks |
| **A** | [Mockingjay](https://github.com/CodeXTF2/Mockingjay-PoC) | Process injection w/o RWX/alloc/CreateThread | `MIT` | Bypasses common memory scans |
| **A** | [SharpEDRChecker](https://github.com/PwnDexter/SharpEDRChecker) | Identify EDR on a host | `GPL-3.0` | Know what you're up against |
| **A** | [ThreadlessInject](https://github.com/CCob/ThreadlessInject) | Thread-less process injection | `MIT` | Bypasses thread-creation telemetry |

### Cloud / Identity

_12 tools_

| Tier | Tool | Description | License | Operator notes |
|:---:|---|---|---|---|
| **S** | [AADInternals](https://github.com/Gerenios/AADInternals) | PowerShell Entra/M365 toolkit | `MIT` | Most complete Entra/M365 kit |
| **S** | [AzureHound](https://github.com/SpecterOps/AzureHound) | BloodHound for Azure | `Apache-2.0` | Run alongside ROADtools |
| **S** | [CloudFox](https://github.com/BishopFox/cloudfox) | Attack paths in AWS/Azure/GCP | `MIT` | Quick wins from compromised creds |
| **S** | [GraphRunner](https://github.com/dafthack/GraphRunner) | Post-compromise M365 toolkit | `MIT` | After token compromise |
| **S** | [Pacu](https://github.com/RhinoSecurityLabs/pacu) | AWS exploitation framework (Rhino) | `BSD-3` | AWS post-compromise default |
| **S** | [ROADtools](https://github.com/dirkjanm/ROADtools) | Azure AD enum (dirkjanm) | `MIT` | Standard for Entra recon |
| **S** | [TeamFiltration](https://github.com/Flangvik/TeamFiltration) | O365 enum, spray, exfil | `GPL-3.0` | Best one-shot O365 RT tool |
| **S** | [TokenTactics V2](https://github.com/f-bader/TokenTacticsV2) | Entra token abuse & device-code phishing | `MIT` | Live tool for token theft chains |
| **A** | [MicroBurst](https://github.com/NetSPI/MicroBurst) | Azure attack PS module (NetSPI) | `BSD-3` | Classic Azure abuse PS |
| **A** | [Prowler](https://github.com/prowler-cloud/prowler) | Cloud security audit (AWS/Azure/GCP/K8s) | `Apache-2.0` | Pre-engagement asset map |
| **A** | [ScoutSuite](https://github.com/nccgroup/ScoutSuite) | Multi-cloud config auditor | `GPL-2.0` | Good HTML report output |
| **A** | [Stratus Red Team](https://github.com/DataDog/stratus-red-team) | Cloud TTP emulation (DataDog) | `Apache-2.0` | Detection validation engagements |

### Container / K8s

_5 tools_

| Tier | Tool | Description | License | Operator notes |
|:---:|---|---|---|---|
| **S** | [Peirates](https://github.com/inguardians/peirates) | K8s post-exploitation | `GPL-2.0` | If you land in a pod, run this |
| **A** | [kdigger](https://github.com/quarkslab/kdigger) | K8s context discovery from a pod | `Apache-2.0` | Quarkslab; quick pod recon |
| **A** | [kube-hunter](https://github.com/aquasecurity/kube-hunter) | K8s recon / vuln check | `Apache-2.0` | External + internal modes |
| **A** | [KubiScan](https://github.com/cyberark/KubiScan) | K8s RBAC permission scanner | `GPL-3.0` | CyberArk; finds risky bindings |
| **A** | [Trivy](https://github.com/aquasecurity/trivy) | Container/IaC/SBOM scanner | `Apache-2.0` | Image triage on found registries |

### Mobile

_7 tools_

| Tier | Tool | Description | License | Operator notes |
|:---:|---|---|---|---|
| **S** | [apktool](https://github.com/iBotPeaches/Apktool) | APK reverse engineering toolkit | `Apache-2.0` | Decompile/recompile/sign |
| **S** | [Frida](https://github.com/frida/frida) | Dynamic instrumentation toolkit | `wxWindows` | Runtime hooking; mobile + desktop |
| **S** | [jadx](https://github.com/skylot/jadx) | DEX -> Java decompiler | `Apache-2.0` | Best Android Java decompiler |
| **S** | [MobSF](https://github.com/MobSF/Mobile-Security-Framework-MobSF) | Mobile app static + dynamic analyzer | `GPL-3.0` | Start here for any APK/IPA |
| **S** | [objection](https://github.com/sensepost/objection) | Frida wrapper for fast mobile RT | `GPL-3.0` | SSL pin bypass / runtime explore |
| **A** | [BurpMobile](https://portswigger.net/burp/documentation/desktop/mobile) | Burp Mobile Assistant | `Commercial` | Easier proxy setup for mobile |
| **A** | [Drozer](https://github.com/WithSecureLabs/drozer) | Android security testing framework | `BSD-3` | IPC/intent testing |

### Wireless & Physical

_9 tools_

| Tier | Tool | Description | License | Operator notes |
|:---:|---|---|---|---|
| **S** | [bettercap](https://github.com/bettercap/bettercap) | Network attack/MitM swiss-army | `GPL-3.0` | Wi-Fi/BLE/HID/ARP all in one |
| **S** | [EAPHammer](https://github.com/s0lst1c3/eaphammer) | WPA2-Enterprise rogue AP attacks | `GPL-3.0` | Best for corp wifi (PEAP/MSCHAPv2) |
| **S** | [Proxmark3 RDV4](https://github.com/RfidResearchGroup/proxmark3) | RFID / NFC research tool | `GPL-3.0` | Industry standard for badge cloning |
| **A** | [airgeddon](https://github.com/v1s1t0r1sh3r3/airgeddon) | Multi-feature wireless audit framework | `GPL-3.0` | Menu-driven; great for OOH ops |
| **A** | [Flipper Zero (Unleashed)](https://github.com/DarkFlippers/unleashed-firmware) | Multi-tool firmware (community) | `GPL-3.0` | Sub-GHz/NFC/RFID/IR/BadUSB |
| **A** | [Hak5 Gear](https://shop.hak5.org/) | Bash Bunny, Rubber Ducky, OMG Cable, LAN Turtle | `Commercial` | Physical drop / HID attacks |
| **A** | [Hostapd-WPE](https://github.com/OpenSecurityResearch/hostapd-wpe) | Enterprise rogue AP | `BSD-3` | Older; EAPHammer wraps it |
| **A** | [Kismet](https://www.kismetwireless.net/) | Wireless network detector / sniffer | `GPL-2.0` | Passive site survey |
| **A** | [Wifite2](https://github.com/derv82/wifite2) | Automated wireless attacks | `GPL-2.0` | WPA/WPS/PMKID one-shot |

### Reverse Engineering

_8 tools_

| Tier | Tool | Description | License | Operator notes |
|:---:|---|---|---|---|
| **S** | [dnSpyEx](https://github.com/dnSpyEx/dnSpy) | Maintained .NET debugger/decompiler fork | `GPL-3.0` | .NET RE; live debugging too |
| **S** | [Ghidra](https://github.com/NationalSecurityAgency/ghidra) | NSA-released RE platform | `Apache-2.0` | Free; rivals IDA for most work |
| **S** | [x64dbg](https://github.com/x64dbg/x64dbg) | Open-source Windows debugger | `GPL-3.0` | Replaces OllyDbg |
| **A** | [Binary Ninja](https://binary.ninja/) | Modern commercial RE platform | `Commercial` | Personal license ~USD300; great UX |
| **A** | [Cutter](https://github.com/rizinorg/cutter) | Radare2 GUI frontend | `GPL-3.0` | Alt to Ghidra |
| **A** | [IDA Free](https://hex-rays.com/ida-free/) | Hex-Rays disassembler (free tier) | `Commercial` | Pro/Home for decompiler |
| **A** | [ILSpy](https://github.com/icsharpcode/ILSpy) | Lightweight .NET decompiler | `MIT` | Quick PE peek |
| **A** | [PE-bear](https://github.com/hasherezade/pe-bear) | PE file analyzer | `BSD-2` | Static PE inspection; hasherezade |

### Reporting

_9 tools_

| Tier | Tool | Description | License | Operator notes |
|:---:|---|---|---|---|
| **S** | [Ghostwriter](https://github.com/GhostManager/Ghostwriter) | Reporting + project mgmt (SpecterOps) | `BSD-3` | Built by RT operators for RT |
| **S** | [Obsidian](https://obsidian.md/) | Markdown vault for engagement notes | `Freemium` | Local-first; per-engagement templates |
| **S** | [SysReptor](https://github.com/Syslifters/sysreptor) | Modern OSS pentest reporting | `MIT` | Best free reporting tool now |
| **A** | [Joplin](https://joplinapp.org/) | OSS notes (E2EE sync) | `MIT` | Encrypted-sync alt to Obsidian |
| **A** | [PlexTrac](https://plextrac.com/) | Commercial reporting & PTaaS | `Commercial` | If enterprise client demands |
| **A** | [Pwndoc](https://github.com/pwndoc/pwndoc) | Open-source pentest report generator | `GPL-3.0` | Vuln library + docx render |
| **A** | [VECTR](https://github.com/SecurityRiskAdvisors/VECTR) | TTP execution tracking (purple-team) | `Special` | Detection-validation engagements |
| **A** | [WriteHat](https://github.com/blacklanternsecurity/writehat) | Markdown-based reports | `GPL-3.0` | Lighter than Ghostwriter |
| **B** | [AttackForge](https://attackforge.com/) | Commercial pentest mgmt | `Commercial` | Heavy enterprise |

### References & Lists

_10 tools_

| Tier | Tool | Description | License | Operator notes |
|:---:|---|---|---|---|
| **S** | [HackTricks](https://book.hacktricks.xyz/) | Pentest/RT knowledgebase wiki | `CC-BY-NC-4.0` | Mirror locally for offline |
| **S** | [MITRE ATT&CK](https://attack.mitre.org/) | TTP framework for mapping ops | `Apache-2.0` | Map every action; clients want it |
| **S** | [PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings) | Payload/bypass cheatsheet repo | `MIT` | Living document; bookmark |
| **S** | [SecLists](https://github.com/danielmiessler/SecLists) | Wordlists for everything | `MIT` | First clone on any ops box |
| **A** | [0xdf walkthroughs](https://0xdf.gitlab.io/) | HTB writeups (technique reference) | `Free` | Specific technique recall |
| **A** | [Atomic Red Team](https://github.com/redcanaryco/atomic-red-team) | ATT&CK-mapped test cases | `MIT` | Detection validation |
| **A** | [Awesome-Red-Teaming](https://github.com/yeyintminthuhtut/Awesome-Red-Teaming) | Curated RT resource list | `CC0` | Discovery of new tooling |
| **A** | [Hydra](https://github.com/vanhauser-thc/thc-hydra) | Network login bruteforcer | `AGPL-3.0` | When nxc doesn't fit the protocol |
| **A** | [MITRE Caldera](https://github.com/mitre/caldera) | Automated adversary emulation | `Apache-2.0` | Purple-team / repeatable scenarios |
| **B** | [Awesome-Hacking](https://github.com/Hack-with-Github/Awesome-Hacking) | Mega-list of security resources | `CC0` | Broad index |

### Intel & PoC Watch

_32 tools_

| Tier | Tool | Description | License | Operator notes |
|:---:|---|---|---|---|
| **S** | [CISA KEV Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) | Known Exploited Vulns - US gov authoritative list | `Free` | If it's on KEV it's confirmed in-the-wild; check weekly |
| **S** | [CVE Trends](https://cvetrends.com/) | Trending CVEs by Twitter/news mentions | `Free` | Live pulse; bookmark |
| **S** | [GitHub PoC-in-GitHub](https://github.com/nomi-sec/PoC-in-GitHub) | Auto-aggregates new CVE PoCs from GH | `MIT` | Daily updates; bookmark + RSS |
| **S** | [inthewild.io](https://inthewild.io/) | Tracks CVEs with public exploit + ITW evidence | `Free` | Faster signal than KEV; shows PoC + exploitation |
| **S** | [MDSec blog](https://www.mdsec.co.uk/research/) | RT research (Nighthawk team) | `Free` | Adversary simulation tradecraft |
| **S** | [nuclei-templates](https://github.com/projectdiscovery/nuclei-templates) | Auto-updated template repo (PoC index) | `MIT` | Watch commits; new template = new exploit usually |
| **S** | [Outflank blog](https://www.outflank.nl/blog/) | Mature RT tradecraft writeups | `Free` | Nighthawk team; high quality |
| **S** | [Reddit r/netsec](https://www.reddit.com/r/netsec/) | Curated infosec link aggregator | `Free` | Best signal:noise security sub |
| **S** | [SpecterOps blog](https://posts.specterops.io/) | RT methodology + tool drops | `Free` | BloodHound team output |
| **S** | [TLDR Sec](https://tldrsec.com/) | Weekly RT/AppSec/cloud newsletter (Clint Gibler) | `Free` | Fri delivery; best single weekly read |
| **S** | [VulnCheck KEV](https://vulncheck.com/kev) | Expanded KEV w/ pre-CISA additions | `Freemium` | Often lists CVEs days before CISA does |
| **S** | [watchTowr Labs blog](https://labs.watchtowr.com/) | Research drops (often w/ working PoC) | `Free` | Edge-device vuln research; consistent quality |
| **S** | [X: @0gtweet](https://x.com/0gtweet) | Windows internals research (G. Tworek) | `Free` | Unusual Windows abuse vectors |
| **S** | [X: @decoder_it](https://x.com/decoder_it) | Windows local privesc / token abuse | `Free` | Best Win-priv-esc source on X |
| **S** | [X: @dirkjanm](https://x.com/_dirkjan) | Entra/AD CS / mitm6 author | `Free` | Best Entra/AD researcher |
| **S** | [X: @Flangvik](https://x.com/Flangvik) | TrustedSec; RT tradecraft (TeamFiltration author) | `Free` | M365/RT tooling drops |
| **S** | [X: @gentilkiwi](https://x.com/gentilkiwi) | Mimikatz author - Win cred research | `Free` | Source for cred-theft news |
| **S** | [X: @hasherezade](https://x.com/hasherezade) | Malware / loader / injection research | `Free` | PE-bear author; loader tradecraft |
| **S** | [X: @PetitPotam](https://x.com/topotam77) | AD coercion / NTLM relay research (T. Chappuis) | `Free` | All coercion-bug news lands here |
| **S** | [X: @SpecterOps](https://x.com/SpecterOps) | BloodHound/Ghostwriter team RT research | `Free` | Plus team accounts: harmj0y, _wald0, CptJesus |
| **A** | [Exploit-DB](https://www.exploit-db.com/) | Searchable exploit archive (Offensive Security) | `Free` | Use searchsploit CLI locally |
| **A** | [GitHub Trending (Sec)](https://github.com/trending?since=weekly) | Daily/weekly trending repos | `Free` | Filter by language; spot new tools early |
| **A** | [Packet Storm](https://packetstormsecurity.com/) | Daily exploits / advisories feed | `Free` | RSS-friendly; daily skim |
| **A** | [Project Zero blog](https://googleprojectzero.blogspot.com/) | Google P0 research | `Free` | Deep technical; less RT-immediate |
| **A** | [Reddit r/redteamsec](https://www.reddit.com/r/redteamsec/) | Red team specific posts/discussion | `Free` | Smaller community; tradecraft focus |
| **A** | [Risky Biz News](https://news.risky.biz/) | Daily infosec brief (Catalin Cimpanu) | `Free` | Email or RSS; quick scan |
| **A** | [Trickest CVE PoC](https://github.com/trickest/cve) | Curated CVE -> PoC repo mapping | `MIT` | Better signal than raw GH search |
| **A** | [X: @bohops](https://x.com/bohops) | LOLBAS / Windows abuse research | `Free` | Bypass / persistence ideas |
| **A** | [X: @cyb3rops](https://x.com/cyb3rops) | Detection eng / threat intel (Florian Roth) | `Free` | Defender POV = know what triggers |
| **A** | [X: @inversecos](https://x.com/inversecos) | DFIR + cloud detection research | `Free` | Defender lens on RT tradecraft |
| **A** | [X: @vxunderground](https://x.com/vxunderground) | Malware sample archive + news | `Free` | Daily malware/news drops |
| **B** | [0day.today](https://0day.today/) | Exploit market + free PoCs | `Freemium` | Some paid; treat with caution |

## Contributing

Edit `build_rt_toolkit_xlsx.py` โ€” append to the `TOOLS`, `WORKFLOW`, or `POC_TRACKER` lists, then run:

```bash
pip install openpyxl
python build_rt_toolkit_xlsx.py
```

Both `RT_Toolkit_Catalog.xlsx` and this `README.md` regenerate from the same source.

## License

MIT โ€” see [LICENSE](LICENSE).

---

Disclaimer: tools listed are for **authorized security testing only**. You are responsible for legal use within engagement scope.