Our Top tools 2026

Introduction

There are countless tools available across the cyber security landscape. Whether you're performing incident response, threat hunting, penetration testing, malware analysis, digital forensics, or systems administration, there is almost always a specialised tool designed to make the task easier.

From Endpoint Detection and Response (EDR) platforms and Security Information and Event Management (SIEM) solutions to exploit frameworks and forensic suites, the sheer number of available tools can be overwhelming. However, ask any security professional what they use most often and you'll rarely get a list of the most expensive enterprise products. Instead, you'll hear about the tools they reach for every day—the utilities that have become second nature and consistently help them solve problems.

These favourites might be a simple Linux command-line utility, a versatile scripting language, or a powerful open-source platform. The founders of GemForge Labs share some of the tools they regularly rely on and explain why they have earned a permanent place in their toolkit.

Saladin

TCPDump

One of the oldest but still one of the most valuable tools available to defenders and operators alike. TCPDump provides a lightweight method of capturing and analysing network traffic directly from the command line. Whether troubleshooting connectivity issues, investigating suspicious communications, or validating firewall configurations, TCPDump often provides answers faster than opening a graphical packet analysis tool.

Its flexibility allows users to capture specific protocols, hosts, ports, or entire conversations with minimal overhead. Combined with a solid understanding of networking fundamentals, TCPDump becomes an indispensable troubleshooting and investigative companion.

CyberChef

Often referred to as the "Cyber Swiss Army Knife", CyberChef is one of those tools that saves hours of work every week. It provides a browser-based interface for performing hundreds of common data manipulation tasks without needing to write scripts or remember obscure command syntax.

Need to decode Base64? Extract indicators from a log file? Convert between data formats? Parse encoded malware strings? CyberChef can usually handle it with a simple drag-and-drop workflow. The ability to chain multiple operations together makes it particularly useful during incident response, malware analysis, and Capture The Flag (CTF) exercises.

What makes CyberChef especially valuable is that it lowers the barrier between an idea and a result. Rather than writing a quick script for every transformation, analysts can rapidly prototype and validate assumptions within seconds.

Velociraptor

Velociraptor has rapidly become one of the most powerful open-source digital forensics and incident response platforms available today. It provides investigators with the ability to collect artefacts, hunt for threats, and perform large-scale endpoint investigations across entire environments.

The platform's flexibility comes from its query language and artefact system, allowing investigators to create highly customised collection and detection workflows. Whether gathering browser history, analysing persistence mechanisms, investigating malware infections, or performing enterprise-wide threat hunting, Velociraptor provides a unified framework for acquiring and analysing data.

For organisations looking to build DFIR capabilities without the cost of large commercial platforms, Velociraptor represents an exceptionally capable solution.

Gilgamesh

*nix CoreUtils

These tools form the foundation of almost every Unix and Linux system. Commands such as grep, awk, sed, sort, cut, find, and xargs may appear simple individually, but together they create an incredibly powerful toolkit for manipulating and analysing data.

There are slight differences between implementations across the Unix ecosystem, but the underlying concepts remain consistent. Mastering these utilities enables analysts and engineers to process logs, automate repetitive tasks, interrogate large datasets, and solve complex problems directly from the terminal.

Many modern security tools generate enormous amounts of text output. Understanding how to efficiently filter, transform, and analyse that data using CoreUtils is often the difference between spending minutes on a task and spending hours.

ImHex

Hex editors have long been an essential component of reverse engineering and forensic workflows, but ImHex modernises the experience with an intuitive interface and powerful functionality.

Beyond simply viewing binary data, ImHex includes features such as data visualisation, pattern matching, structure definitions, and a powerful pattern language that allows users to create custom parsers for proprietary formats. This makes it particularly useful when analysing malware samples, reverse engineering file formats, or investigating unusual binary artefacts.

The combination of usability and capability makes ImHex approachable for beginners while still providing the depth demanded by experienced analysts.

Python

Python is often described as the Swiss Army knife of cyber security, and for good reason. It is equally comfortable processing gigabytes of log data, automating system administration tasks, interacting with APIs, developing offensive security tooling, or supporting exploit development.

Its extensive ecosystem of libraries allows practitioners to focus on solving problems rather than reinventing functionality. Need to parse network traffic? Analyse malware? Interact with cloud environments? Perform statistical analysis? There is almost certainly a library available to help.

For many security professionals, Python serves as the bridge between manual analysis and scalable automation, turning repetitive tasks into repeatable workflows and enabling deeper analysis than would otherwise be practical.

Charlie

NetExec

NetExec has become one of the most useful post-exploitation and network enumeration tools available to operators working within Windows environments. Building upon the foundations established by CrackMapExec, NetExec provides a unified interface for interacting with common enterprise services such as SMB, LDAP, MSSQL, WinRM, RDP, and more.

One of its greatest strengths is consolidation. Rather than switching between multiple tools for enumeration, credential validation, service discovery, and information gathering, operators can perform many of these tasks through a single framework. This significantly streamlines assessments and allows practitioners to move more efficiently through large environments.

For defenders, understanding NetExec is equally valuable. The techniques it automates closely mirror real-world attacker behaviour, making it an excellent tool for validating detections, understanding attack paths, and assessing defensive coverage.

Its combination of speed, flexibility, and protocol support has made it a staple tool for many penetration testers, red team operators, and security researchers.