Resources

A curated collection of security distributions, vulnerable practice environments, and reference materials for vulnerability scanning and penetration testing professionals.

Security Distributions

Purpose-built Linux distributions pre-loaded with security testing tools.

  • Kali Linux — The industry-standard Debian-based penetration testing distribution maintained by OffSec, shipping 600+ pre-installed security tools including Nmap, Metasploit, Burp Suite, and Aircrack-ng. Available as ISO, VM, WSL, Docker, and ARM images.

  • Parrot Security OS — Debian-based security distribution offering Home, Security, and Cloud editions. Lighter weight than Kali with a focus on privacy and development alongside pentesting tools.

  • BlackArch Linux — Arch Linux-based distribution with over 2,800 security tools in its repository. Can be installed standalone or added as an unofficial repository to an existing Arch installation.

  • Commando VM — A Windows-based penetration testing virtual machine by Mandiant (Google Cloud), automating the installation of 140+ security tools on Windows 10/11 via Boxstarter and Chocolatey.

  • REMnux — Ubuntu-based distribution focused specifically on reverse engineering and malware analysis, maintained by Lenny Zeltser and the SANS Institute.

Vulnerable Practice Targets

Intentionally vulnerable applications and virtual machines for safe, legal hands-on practice.

  • Metasploitable 2 — An intentionally vulnerable Ubuntu VM maintained by Rapid7, designed as a target for testing Metasploit exploits and common vulnerability scanning techniques.

  • Metasploitable 3 — The successor to Metasploitable 2, built with Vagrant and Packer, providing both Windows and Linux vulnerable VMs with a wider range of modern vulnerabilities.

  • DVWA (Damn Vulnerable Web Application) — A PHP/MySQL web application with deliberately insecure code, covering SQL injection, XSS, CSRF, file inclusion, command injection, and brute force at configurable difficulty levels.

  • WebGoat — OWASP’s deliberately insecure Java web application designed to teach web application security through guided lessons covering injection, authentication, access control, and cryptography flaws.

  • OWASP Juice Shop — A modern, intentionally insecure Node.js/Angular web application with 100+ hacking challenges covering the OWASP Top 10 and beyond, complete with a built-in score board.

  • HackTheBox — An online platform offering vulnerable virtual machines, challenges, and labs for practising penetration testing skills. Includes both free and paid tiers with regular new machine releases.

  • TryHackMe — Browser-based cybersecurity training platform with guided learning paths, virtual labs, and CTF-style rooms. Particularly accessible for beginners with step-by-step walkthroughs.

  • VulnHub — A repository of downloadable vulnerable VM images designed for local practice. Hundreds of community-contributed machines covering a wide range of difficulty levels and vulnerability types.

  • bWAPP (Buggy Web Application) — A free, deliberately insecure PHP web application covering over 100 web vulnerabilities including all OWASP Top 10 items, available as a standalone install or as the bee-box VM.

  • XVWA (Xtreme Vulnerable Web Application) — A badly coded PHP/MySQL web application for learning application security, covering SQL injection, OS command injection, SSRF, XXE, and insecure direct object references.

Vulnerability Databases & Intelligence

Reference databases for CVE lookups, exploit research, and threat intelligence.

  • NIST NVD (National Vulnerability Database) — The U.S. government’s authoritative repository of CVE vulnerability data enriched with CVSS scores, CWE classifications, and affected product enumerations (CPE).

  • MITRE CVE — The master list of Common Vulnerabilities and Exposures identifiers, serving as the universal naming standard for publicly known security vulnerabilities.

  • Exploit-DB — A public archive of exploits and vulnerable software maintained by OffSec, searchable by CVE, platform, and type. Includes the Google Hacking Database (GHDB).

  • CISA KEV (Known Exploited Vulnerabilities) — A catalogue of vulnerabilities confirmed to be actively exploited in the wild, maintained by CISA. Widely used for prioritising remediation efforts.

  • AttackerKB — A community-driven knowledge base by Rapid7 where researchers assess and discuss the exploitability and real-world impact of disclosed vulnerabilities.

Standards & Frameworks

Security testing methodologies, standards, and compliance frameworks.

  • OWASP Top 10 — The most widely referenced list of critical web application security risks, updated periodically by the OWASP Foundation. The baseline for web application security testing.

  • OWASP Testing Guide — A comprehensive, open-source manual for web application security testing covering methodology, tools, and specific test cases for every vulnerability class.

  • PTES (Penetration Testing Execution Standard) — A standard defining the baseline for penetration testing engagements, covering pre-engagement, intelligence gathering, threat modelling, exploitation, and reporting.

  • NIST Cybersecurity Framework — A voluntary framework of standards and best practices for managing cybersecurity risk, widely adopted by organisations across government and private sectors.

  • CIS Benchmarks — Consensus-based configuration guidelines for hardening operating systems, cloud providers, network devices, and applications. Free PDF downloads available.

  • MITRE ATT&CK — A knowledge base of adversary tactics, techniques, and procedures (TTPs) based on real-world observations, used to map vulnerability scanner findings to attacker behaviour.