Best tools for Security Auditing

Fine-grained authorization engine by Okta

OpenFGA is an open-source authorization engine inspired by Google Zanzibar, built and maintained by Okta (Auth0). It provides relationship-based access control with a flexible modeling language, sub-millisecond permission checks, and SDKs for major languages. OpenFGA is used by companies including Grafana Labs, Canonical, and Docker for fine-grained access control in multi-tenant applications.

Google Zanzibar-inspired authorization database

SpiceDB is an open-source authorization database inspired by Google's Zanzibar system, providing relationship-based access control (ReBAC) at scale. It defines permissions through a schema language that models relationships between users, resources, and roles, then evaluates authorization checks in single-digit milliseconds. Used by companies like Netflix and GitHub, SpiceDB handles millions of permission checks per second.

Open-source zero-trust networking with WireGuard

NetBird is an open-source zero-trust networking platform that creates encrypted WireGuard overlay networks between devices without opening ports or configuring firewalls. It provides peer-to-peer connectivity with NAT traversal, access control policies, DNS management, and a web dashboard for team management. NetBird replaces traditional VPNs with a simpler, more secure mesh networking approach for self-hosted infrastructure and remote teams.

In-page AI browser agent via a single script tag

Page Agent is Alibaba's open-source JavaScript library that embeds an AI GUI agent directly into any web page through a single script tag injection. Unlike headless browser tools that operate externally, Page Agent works inside the DOM using text-based manipulation for natural language QA testing, enterprise copilots, and making legacy web apps AI-native. It supports BYOLLM with any model provider and requires no backend changes.

Reusable computer vision tools for developers

Supervision is an open-source Python toolkit by Roboflow providing reusable CV utilities for detection, tracking, annotation, and dataset management. It works with any model including YOLO and Hugging Face via a standardized Detections class. Features include 20+ annotators, ByteTrack object tracking, zone counting, speed estimation, and dataset conversion between COCO, YOLO, and Pascal VOC formats.

Lightweight microVM execution layer for AI agent code sandboxing

Vercel Sandbox provides a lightweight microVM execution environment for running untrusted code generated by AI agents safely. It creates isolated sandboxes that prevent generated code from accessing the host system, network, or other processes. Designed for AI coding platforms that need to execute user or agent-generated code without security risks to the host infrastructure.

Google's application kernel for container sandboxing and security

gVisor is Google's open-source container runtime sandbox that provides an additional layer of isolation between containerized applications and the host kernel. It implements a user-space application kernel that intercepts system calls, preventing container escapes and limiting the attack surface. Used in Google Cloud Run, GKE Sandbox, and other Google Cloud services. Over 18,000 GitHub stars.

Enterprise software composition analysis for supply chain security

Sonatype Lifecycle is an enterprise software composition analysis platform that identifies vulnerabilities, license risks, and quality issues in open-source dependencies throughout the development lifecycle. It integrates with IDEs, CI/CD pipelines, and artifact repositories to block risky components before they enter the codebase. Backed by the largest vulnerability database with proprietary research beyond public CVE data.

Linux Foundation fork of HashiCorp Vault for secrets management

OpenBao is the Linux Foundation's community-driven fork of HashiCorp Vault created after Vault's license change from open-source to BSL. It provides secrets management, encryption as a service, dynamic credentials, and PKI certificate management. Maintains API compatibility with Vault while developing under truly open-source governance with over 5,700 GitHub stars.

Shift-left DAST platform built for CI/CD pipeline integration

StackHawk is a dynamic application security testing platform designed for CI/CD pipeline integration. It tests running web applications and APIs for OWASP Top 10 vulnerabilities including SQL injection, XSS, and authentication flaws during the development process. Built on ZAP with a developer-friendly CLI and YAML configuration, it provides actionable findings with reproducer requests and fix guidance.

AI-powered DAST platform specializing in API and GraphQL security

Escape is an AI-powered dynamic application security testing platform focused on API security including REST, GraphQL, and gRPC endpoints. It automatically discovers and tests API endpoints for vulnerabilities without requiring source code access. Features business logic testing that goes beyond OWASP patterns, CI/CD integration for shift-left security, and detailed remediation guidance for developers.

Enterprise middleware for securing AI applications against prompt attacks

Prompt Security provides enterprise security middleware that protects AI applications from prompt injection, data leakage, jailbreaks, and toxic content generation. It sits between users and LLM APIs to inspect, filter, and sanitize inputs and outputs in real-time. Supports deployment as a proxy, SDK integration, or browser extension with customizable security policies and compliance reporting.

CyberArk's open-source LLM fuzzing framework for AI security testing

FuzzyAI is CyberArk's open-source framework for fuzzing large language models to discover vulnerabilities like jailbreaks, prompt injection, guardrail bypasses, and harmful content generation. It systematically tests LLM deployments with over 20 attack techniques and generates detailed reports. Supports testing any model accessible via API including OpenAI, Anthropic, and self-hosted models.

Leading open-source service mesh for Kubernetes microservices

Istio is the most widely adopted open-source service mesh for Kubernetes, providing traffic management, security, and observability for microservice architectures. It uses Envoy proxy sidecars to intercept and manage service-to-service communication with mutual TLS, fine-grained traffic routing, circuit breaking, and distributed tracing. CNCF Graduated project used in production by Google, IBM, and Salesforce.

eBPF-based networking, security, and observability for Kubernetes

Cilium is a CNCF Graduated project that provides networking, security, and observability for Kubernetes using eBPF technology. It replaces kube-proxy with efficient eBPF-based load balancing, enforces L3-L7 network policies using identity-based security, and includes Hubble for network flow observability and Tetragon for runtime security enforcement. Adopted by Google GKE, AWS EKS Anywhere, and Azure AKS.

Git-native AI agent session capture and reasoning traceability

Checkpoints by Entire captures the full reasoning context behind AI-generated code directly in Git. Founded by former GitHub CEO Thomas Dohmke with a 60 million dollar seed round, it records transcripts, prompts, files touched, token usage, and tool calls alongside every commit. Session metadata lives on a separate branch keeping your history clean, with rewind capabilities to restore any previous agent checkpoint when things go sideways.

Agent harness performance system with 30+ agents and 136 skills

Everything Claude Code is a comprehensive agent harness performance optimization system providing 30 specialized agents, 136 skills, 60 commands, and automated hook workflows for AI-assisted development. Born from an Anthropic hackathon winner and evolved over 10+ months of intensive daily use, it works across Claude Code, Codex, Cursor, and OpenCode with built-in security scanning via AgentShield, continuous learning, and research-first development patterns.

Python toolkit for assessing and mitigating ML model fairness issues

Fairlearn is a Microsoft-backed open-source Python toolkit that helps developers assess and improve the fairness of machine learning models. It provides metrics for measuring disparity across groups defined by sensitive features, mitigation algorithms that reduce unfairness while maintaining model performance, and an interactive visualization dashboard for exploring fairness-accuracy trade-offs. Integrated with scikit-learn and Azure ML's Responsible AI dashboard.

Rust-based agent OS with built-in security, WASM sandboxing, and multi-agent runtime

OpenFang is an open-source agent operating system built in Rust that provides a secure multi-agent runtime with WASM sandboxing, auditability layers, and multi-channel communication. It goes beyond typical orchestration SDKs by treating agent security and operational isolation as first-class concerns, making it suitable for teams deploying agents in environments where trust boundaries and audit trails matter.

Hunt down social media accounts by username across 400+ platforms

Sherlock is a Python CLI tool that searches for a given username across 400+ social networks and websites simultaneously. It is widely used in OSINT investigations, security audits, red teaming exercises, and digital footprint analysis. Sherlock is included in Kali Linux and Parrot Security distributions and has over 76,000 GitHub stars, making it one of the most popular open-source security tools.

Open-source microVMs for secure serverless and AI agent sandboxing

Firecracker is an open-source virtual machine monitor that creates lightweight microVMs with sub-150ms cold starts, originally built by AWS for Lambda and Fargate. With 28,000+ GitHub stars, it provides kernel-level isolation for running untrusted code safely and powers the sandboxing infrastructure behind AI coding agents like Devin and E2B.

Trusted runtime environments for AI agents in production infrastructure

Teleport Beams provides cryptographically verified, policy-gated access for AI agents to interact with production infrastructure including servers, Kubernetes clusters, and databases. Launched at KubeCon EU 2026, Beams extends Teleport's zero-trust access platform with agent-specific runtime controls, audit trails, and policy enforcement to ensure AI agents operate within defined boundaries when deployed in production environments.

Identity-aware VPN and reverse proxy for zero-trust remote access

Pangolin is an open-source, identity-based remote access platform built on WireGuard that combines reverse proxy and VPN into a single self-hosted stack. It provides browser-based access to web apps and client-based access to private resources like SSH, databases, and RDP with zero-trust security. A self-hosted alternative to Cloudflare Tunnels, it handles routing, load balancing, health checking, and automatic SSL without exposing your network.

Sandbox any command with file, network, and credential controls

Zerobox is a security-focused command sandboxing tool that isolates command execution with fine-grained controls over file system access, network connectivity, and credential exposure. It wraps any shell command in a secure container that enforces policy restrictions, preventing unauthorized file reads, network calls, or environment variable leaks during execution.