July 2024 · 7 min read

Curating 200 Security Tools

Kali has 600+ tools. Half are unmaintained. We ship 200, and every one is tested on every release.

Selection criteria

• Active — committed to in the last 12 months
• Functional — passes our automated test suite
• Unique — doesn't duplicate another tool's core function
• Legal — open source with a clear license

Why we dropped 40 tools

In the v1.0 to v2.0 transition, we dropped 40 tools that failed our criteria. Examples:

• Armitage — Java dependency nightmare, redundant with Metasploit CLI
• Maltego CE — proprietary, limited free tier
• Sparta — unmaintained since 2019
• BeEF — Ruby dependency conflicts with other tools

Automated testing

Every tool has a smoke test that runs in CI:

// test-tools.ltl
tools
    |> map(|t| (t.name, run_smoke_test(t)))
    |> partition(|(_, result)| result.is_ok())
    |> match {
        (passed, failed) => {
            println("{passed |> len()} passed, {failed |> len()} failed")
            failed |> each(|(name, err)| println("  FAIL: {name}: {err}"))
        }
    }

Community input

Tool requests go through GitHub issues. If a tool meets our criteria and gets 5+ upvotes, we add it to the next release.

Category breakdown

Our 200 tools are organized into 10 categories. Here's the full breakdown with representative tools:

• Recon (28 tools) — nmap, masscan, amass, subfinder, httpx, gowitness, whatweb, wafw00f
• Web (32 tools) — Burp Suite, SQLMap, ffuf, nuclei, wfuzz, XSStrike, dalfox, arjun
• Network (22 tools) — Wireshark, tcpdump, Responder, mitm6, bettercap, proxychains, chisel
• Wireless (14 tools) — aircrack-ng, wifite, bully, hcxdumptool, kismet, fluxion
• Exploit (24 tools) — Metasploit, searchsploit, pwntools, ROPgadget, msfvenom, evil-winrm
• Post-Exploitation (18 tools) — BloodHound, Mimikatz, CrackMapExec, Rubeus, Certipy, ligolo-ng
• Password (16 tools) — hashcat, John the Ripper, hydra, CeWL, crunch, haiti
• Forensics (20 tools) — Autopsy, Volatility, binwalk, foremost, exiftool, bulk_extractor
• Reverse (14 tools) — Ghidra, radare2, IDA Free, Binary Ninja Cloud, objdump, ltrace, strace
• Report (12 tools) — CherryTree, Obsidian, Dradis, pipal, seclists, wordlists

Version pinning strategy

Not all tools should be bleeding-edge. We use a three-tier version strategy:

• Track latest — security scanners like nuclei and nmap that need current signatures/scripts. Updated weekly.
• Track stable — frameworks like Metasploit and Burp Suite that need reliability. Updated monthly after testing.
• Pin specific — tools with known breaking changes between versions. Updated manually after compatibility testing.

Tool wrapper system

Every tool in NullSec has a Lateralus wrapper that provides structured I/O. Instead of parsing text output, you get typed data:

// Without wrapper (traditional approach):
let raw = shell("nmap -sV -oX - 10.0.0.1")
let hosts = parse_nmap_xml(raw)  // fragile XML parsing

// With NullSec wrapper (Lateralus-native):
let hosts = nmap_scan("10.0.0.1", flags: "-sV")
// Returns Vec<Host> with typed fields:
// hosts[0].ip        : String
// hosts[0].ports     : Vec<Port>
// hosts[0].ports[0].number  : Int
// hosts[0].ports[0].service : String
// hosts[0].ports[0].version : String

The wrappers handle argument building, output parsing, error handling, and logging. They're maintained in a separate repository (nullsec-tool-wrappers) and versioned independently from the tools themselves.

Deprecation process

When a tool is dropped, we don't just remove it. The deprecation process spans two releases:

• Release N — tool is marked deprecated. Running it prints a warning with the recommended replacement. The tool still works.
• Release N+1 — tool is removed. A stub command remains that prints "This tool was removed in NullSec X.Y. Use [replacement] instead."

This gives users two full release cycles to update their scripts and workflows. We also publish a migration guide for each deprecated tool showing how to replicate its functionality with the replacement.