Open-Source Security Tools We Actually Use and Recommend

Why Open-Source Matters for Security

The cybersecurity tool market is crowded, expensive, and full of promises that do not survive contact with production environments. For many organisations, particularly SMEs in Luxembourg, the cost of commercial security platforms can consume the entire security budget before a single analyst is hired.

Open-source security tools offer a different path. Not free (you will invest time in deployment, tuning, and maintenance), but significantly more cost-effective and, in many cases, technically superior to their commercial counterparts. More importantly, open-source tools give you transparency: you can inspect the code, understand exactly what the tool does, and customise it to your specific needs.

What follows is not a theoretical survey. These are the tools we deploy, maintain, and rely on in production environments for our clients. We will be honest about both the strengths and the pain points.

Our philosophy: Use open-source where it provides equal or better capability than commercial alternatives. Use commercial tools where the open-source option requires more engineering effort than the organisation can sustain. Never use a tool, commercial or open-source, that you do not understand and cannot operate.

Wazuh: The SIEM That Actually Works

What It Is

Wazuh is a free, open-source security monitoring platform that provides threat detection, integrity monitoring, incident response, and compliance reporting. It is built on top of the ELK stack (Elasticsearch, Logstash, Kibana) but provides a security-focused layer with agent-based endpoint monitoring, log analysis, vulnerability detection, and regulatory compliance dashboards.

How We Use It

Wazuh is our default SIEM recommendation for SMEs. We deploy it as the central security monitoring platform, ingesting logs from endpoints (via Wazuh agents), network devices (via syslog), cloud environments (via API integrations), and applications. Typical deployments for 50-200 endpoint organisations run on a single server or small cluster.

What We Like

• Agent-based architecture: The Wazuh agent provides file integrity monitoring, rootkit detection, vulnerability scanning, and log collection in a single lightweight package.
• Built-in compliance dashboards: PCI DSS, GDPR, HIPAA, and NIST compliance dashboards out of the box. Useful for demonstrating control effectiveness to auditors.
• Active response: Can automatically respond to threats (block IPs, isolate endpoints) based on configurable rules.
• Regular updates: The Wazuh team maintains active development with frequent releases and good documentation.

Pain Points

• Resource hungry: Elasticsearch requires substantial RAM and disk. Plan for 16GB RAM minimum for small deployments, 64GB+ for larger environments.
• Tuning required: Out-of-the-box rules generate significant noise. Plan for 2-4 weeks of tuning to reduce false positives to manageable levels.
• Dashboard complexity: The Kibana-based interface has a steep learning curve for non-technical users.
• Scaling: For organisations above 500 endpoints, Elasticsearch cluster management becomes a skill requirement in itself.

Verdict: If you need a SIEM and cannot justify the cost of Splunk, Elastic Security, or Microsoft Sentinel, Wazuh is the answer. Budget 2-3 days for initial deployment and 2-4 weeks for tuning.

MISP: Threat Intelligence Sharing Done Right

What It Is

MISP (Malware Information Sharing Platform) is an open-source threat intelligence platform developed by CIRCL, right here in Luxembourg. It enables organisations to collect, store, distribute, and share cybersecurity indicators of compromise (IoCs) and threat intelligence.

How We Use It

We run MISP as a central threat intelligence repository that feeds into Wazuh and other detection tools. MISP instances are connected to community feeds (CIRCL's feed, abuse.ch, various sector-specific sharing groups) and enriched with intelligence from our own investigations. When we discover new IoCs during incident response or threat hunting, they go into MISP and are automatically distributed to all connected detection systems.

What We Like

• Luxembourg pedigree: Developed and maintained by CIRCL. Local support, active community, and deep integration with the Luxembourg security ecosystem.
• Flexible data model: MISP can represent complex threat intelligence relationships, not just flat IoC lists. Galaxies, clusters, and taxonomies provide rich context.
• Sharing groups: Fine-grained control over what is shared with whom. Essential for maintaining trust in intelligence-sharing communities.
• API-first design: Everything in MISP is accessible via API, making integration with SIEMs, firewalls, and other tools straightforward.
• Community: Active global community with regular events, training, and an extensive library of shared galaxy clusters and taxonomies.

Pain Points

• Complexity: MISP's data model is powerful but complex. Non-specialist users find it overwhelming initially.
• Feed management: With many feeds connected, data quality becomes an issue. You need to curate feeds and set appropriate confidence levels, or your detection systems drown in low-quality indicators.
• UI: The web interface is functional but dated. Navigation and workflow could be more intuitive.

Verdict: Essential for any organisation serious about threat intelligence. Particularly valuable in Luxembourg where CIRCL's MISP instance provides a direct connection to national-level threat intelligence. Pairs excellently with Wazuh for automated IoC-based detection.

MONARC: Risk Assessment Made Practical

What It Is

MONARC (Method for an Optimised aNAlysis of Risks by CASES) is an open-source risk assessment tool, also developed in Luxembourg by CASES (a division of the national cybersecurity agency). It provides a structured method for conducting information security risk assessments aligned with ISO 27005.

How We Use It

MONARC is our standard tool for client risk assessments, particularly for NIS2 and CSSF compliance. It provides a structured workflow from asset inventory through threat and vulnerability identification to risk evaluation and treatment planning. For Luxembourg organisations, the fact that it is developed locally and aligned with national guidelines is a significant advantage.

What We Like

• Structured methodology: Forces a systematic approach to risk assessment. Particularly useful for organisations new to formal risk management.
• Pre-built knowledge bases: Comes with asset libraries, threat catalogues, and vulnerability databases that significantly reduce the time needed to conduct an assessment.
• Multi-tenancy: Can manage risk assessments for multiple clients or business units from a single instance.
• Report generation: Produces professional risk assessment reports suitable for management review and regulatory submissions.
• Luxembourg alignment: Designed for Luxembourg's regulatory environment. Recognised by CSSF and other national authorities.

Pain Points

• Learning curve: The methodology requires training to use effectively. Plan for at least a day of training before conducting your first assessment.
• Interface: Functional but not modern. Some workflows require more clicks than necessary.
• Scale: Best suited for small to mid-sized assessments. Very large, complex organisations may outgrow it.

Verdict: The best open-source risk assessment tool available, and it is Luxembourg-made. If you need to conduct risk assessments for NIS2, DORA, or ISO 27001, start here.

Suricata: Network Detection That Scales

What It Is

Suricata is an open-source network threat detection engine capable of real-time intrusion detection (IDS), inline intrusion prevention (IPS), network security monitoring (NSM), and offline PCAP processing. It is maintained by the Open Information Security Foundation (OISF).

How We Use It

We deploy Suricata at network chokepoints (perimeter, between security zones, in front of critical assets) to provide network-level visibility and threat detection. It feeds alerts into Wazuh for centralised monitoring and correlation. For organisations that need IDS/IPS capability without the cost of commercial solutions like Palo Alto or Cisco, Suricata is our go-to recommendation.

What We Like

• Multi-threading: Unlike Snort (its predecessor/competitor), Suricata is built for multi-core processors. It handles multi-gigabit traffic on modern hardware.
• Protocol detection: Suricata identifies application-layer protocols regardless of port, providing visibility into tunnelled and non-standard traffic.
• EVE JSON logging: Produces rich, structured JSON logs that integrate easily with Elasticsearch/Wazuh.
• Rule compatibility: Compatible with Snort rules, giving access to a massive library of community and commercial rule sets (Emerging Threats, Proofpoint).
• File extraction: Can extract files from network traffic for further analysis (malware sandboxing, data loss prevention).

Pain Points

• Hardware requirements: High-throughput deployments require dedicated hardware with quality NICs. Do not expect to run Suricata effectively on a virtual machine for anything beyond lab environments.
• Encrypted traffic: Like all network IDS, Suricata's effectiveness diminishes with encrypted traffic. TLS inspection or endpoint-based detection is needed to complement it.
• Rule management: Managing and tuning thousands of rules requires ongoing effort. Tools like suricata-update help but do not eliminate the work.

Verdict: The best open-source network IDS/IPS available. Combine with Wazuh for centralised alerting and Arkime for full packet capture when deep investigation is needed.

Arkime: Full Packet Capture for When You Need the Evidence

What It Is

Arkime (formerly Moloch) is an open-source, large-scale, full packet capture and network analysis tool. It indexes network traffic, stores the raw packets, and provides a web interface for searching and analysing captured data.

How We Use It

Arkime is deployed alongside Suricata for full packet capture on critical network segments. When Suricata generates an alert, analysts can pivot to Arkime to see the full context: the complete session, all packets, extracted files, and related sessions. It is invaluable during incident investigations where you need to answer "what exactly happened" with forensic-grade evidence.

What We Like

• Full session reconstruction: See complete network conversations, not just alerts. Essential for understanding attack chains.
• Powerful search: Session-based search with rich filtering. Find all traffic to a specific IP, with a specific protocol, during a specific time window, in seconds.
• SPI (Session Profile Intelligence) views: Quick statistical overviews of traffic patterns, unusual protocols, and data volumes.
• Integration: Works seamlessly with Suricata alerts and can be integrated into the Wazuh/ELK stack.

Pain Points

• Storage: Full packet capture consumes enormous amounts of disk space. Plan for 50-100GB per day on a moderately busy 1Gbps link. Storage costs dominate the total cost of ownership.
• Deployment complexity: Setting up Arkime with proper capture, indexing, and retention policies requires networking and systems expertise.
• Encrypted traffic: Encrypted payloads cannot be inspected, limiting the depth of analysis for TLS-encrypted sessions.

Verdict: Not for every organisation, but invaluable for incident response and forensic investigation. If you run a SOC or need to support regulatory incident investigations (DORA, NIS2), Arkime provides the evidence trail that log-only solutions cannot.

OpenVAS / Greenbone: Vulnerability Scanning Without the Licence Fee

What It Is

OpenVAS (Open Vulnerability Assessment Scanner), now part of the Greenbone Vulnerability Management (GVM) framework, is an open-source vulnerability scanner. It maintains a database of network vulnerability tests (NVTs) and scans your infrastructure for known vulnerabilities.

How We Use It

We use OpenVAS/GVM for regular internal vulnerability scanning for clients who do not have commercial scanner licences. It runs on a scheduled basis, scanning internal networks and generating reports that feed into the vulnerability management process.

What We Like

• Comprehensive NVT database: Regularly updated with new vulnerability tests. Covers a broad range of operating systems, network devices, and applications.
• Scheduled scanning: Set it and forget it (almost). Schedule regular scans and receive reports automatically.
• Compliance checks: Includes compliance audit policies for common standards.
• Cost: Free. For an organisation running Nessus at EUR 3,000+/year, the savings are meaningful.

Pain Points

• Installation: GVM's installation process has historically been painful. Docker deployments have improved this significantly, but expect to spend half a day on initial setup.
• Scan speed: Slower than Nessus for equivalent scope. Large network scans can take significantly longer.
• False positives: Higher false positive rate than commercial scanners. Manual verification of findings is essential.
• Web application testing: Limited compared to dedicated web application scanners. Do not rely on OpenVAS for web application vulnerability assessment.

Verdict: A solid, cost-effective option for network vulnerability scanning. Not a replacement for Nessus in every scenario, but entirely adequate for many SME environments. Combine with dedicated web application scanning (OWASP ZAP or Burp Suite) for comprehensive coverage.

Honourable Mentions

Several other open-source tools deserve mention, even if we cannot give each a full review:

• TheHive: Incident response platform for case management. Pairs well with MISP for intelligence-driven incident response. Excellent for teams that handle multiple concurrent incidents.
• Cortex: Analysis engine that works with TheHive. Automates the enrichment of observables (IP addresses, file hashes, URLs) by querying multiple threat intelligence sources simultaneously.
• OWASP ZAP: Web application security scanner. The best open-source option for automated web application vulnerability assessment. We use it alongside manual testing in every web application pentest.
• CyberChef: GCHQ's open-source data analysis tool. Invaluable for decoding, decrypting, and analysing data during investigations. Every analyst should have it bookmarked.
• Velociraptor: Endpoint visibility and digital forensics tool. Enables rapid endpoint investigation and hunting across large fleets. Increasingly replacing commercial EDR for forensic collection.

Building an Open-Source Security Stack

For a Luxembourg SME looking to build a security monitoring capability on a budget, here is the stack we recommend as a starting point:

1. Wazuh as the central SIEM and endpoint monitoring platform
2. MISP for threat intelligence, connected to CIRCL's feeds
3. Suricata for network detection at the perimeter
4. OpenVAS/GVM for regular vulnerability scanning
5. MONARC for risk assessment and compliance documentation

This stack provides SIEM, endpoint detection, network monitoring, vulnerability management, threat intelligence, and risk assessment, all for zero licence cost. The investment is in hardware (a single dedicated server for small deployments, approximately EUR 3,000-5,000) and human time (deployment, tuning, ongoing management).

For organisations with more resources, add Arkime for full packet capture and TheHive/Cortex for structured incident response. The total licence cost remains zero. The total capability rivals commercial stacks costing EUR 100,000+ annually.

Open-source is not a compromise. It is a strategic choice that gives you capability, transparency, and control. The tools exist. The question is whether you are willing to invest the time to learn and operate them.