CERT Tools

This comprehensive list of CERT tools includes tools from multiple areas of work within the CERT Division of the SEI. They are grouped by general function, but your needs may require that you select from multiple areas.

The SEI also offers a broad range of technologies and management techniques that enable organizations to improve the results of software projects, the quality and behavior of software systems, and the security and survivability of networked systems. Browse the complete suite of SEI tools and methods.

Analyze and Reduce Vulnerabilities in Your Code

Our tools help you detect, eliminate, and avoid creating vulnerabilities in software.

  • Basic Fuzzing Framework (BFF) is a software testing tool that finds defects in applications that run on the Linux and Mac OS X platforms by performing mutational fuzzing on software that consumes file input.
  • Clang Thread Safety Analysis is a tool that uses annotations to declare and enforce thread safety policies in C and C++ programs.
  • Compiler-Enforced Buffer Overflow Elimination is a tool that prevents buffer overflows in multithreaded code and has additional features not found in other memory safety mechanisms.
  • Failure Observation Engine (FOE) is a mutational file-based fuzz testing tool that is used for finding defects in applications that run on the Windows platform.
  • CERT Tapioca is a virtual machine appliance for performing man-in-the-middle network traffic analysis of software and devices.
  • CERT Triage Tools script and GNU Debugger (GDB) extension named 'exploitable' classify Linux application defects by severity.
  • Source Code Analysis Laboratory (SCALe) is a conformance process that enables conformance testing of C language software systems against the CERT C Secure Coding Standard and the CERT Oracle Secure Coding Standard for Java.
  • The DidFail tool uses static analysis to detect potential leaks of sensitive information within a set of Android apps (cost free, open-source, available for easy download by the public). In February 2015, we released new versions of the tool; enhancements are described in the technical report Making DidFail Succeed: Enhancing the CERT Static Taint Analyzer for Android App Sets.
  • The Rosecheckers tool is an open source compiler infrastructure that can be used to build source-to-source program transformation and analysis tools for large-scale applications (cost free, open-source, available for easy download by the public).
  • The AIR Integer Model provides a mostly-automated mechanism for eliminating integer overflow, truncation, and other integer-related exception-creating conditions.
  • The Secure Coding Validation Suite is a set of tests that validate the rules defined in ISO Technical Specification 17961.

Monitor Large-Scale Networks Using Flow Data

Our repository of open source tools for large-scale network monitoring provides tools used for situational awareness of large-scale networks' operations and security using flow data.

  • Analysis Pipeline processes SiLK Flow records to automate common tasks, get closer to "real-time" reporting of events, and feed data to a SIEM.
  • fixbuf provides an implementation of the IPFIX Protocol as a C library, for building IPFIX Collecting and Exporting Processes.
  • IPA is an IP address annotation system.
  • iSiLK is a graphical front-end for the SiLK tools, designed to work with an existing installation of the SiLK analysis suite.
  • netsa-python library is a grab-bag of Python routines and frameworks that we have found helpful when developing analyses using the SiLK toolkit.
  • Orcus is a system for analyzing passively-collected DNS information.
  • Rayon is a Python library and set of tools for generating basic two-dimensional statistical visualizations.
  • SiLK facilitates security analysis of large networks.
  • SiLK IPset contains a library and a set of command line tools to build and manipulate IPset files.
  • snarf is a distributed alert reporting system.
  • super_mediator is an IPFIX mediator for use with the YAF and SiLK tools.
  • YAF processes packet data into bidirectional flow records that can be used as input into an IPFIX Collecting Process.

Conduct Forensics Examinations

Our forensics tools repository is a collection of tools that facilitate forensic examinations and assist authorized members of the law enforcement community. Some tools are available to everyone, some have restricted access, and others cannot be accessed. Follow the links below to learn more about how to request access to the restricted access tools.

Full Access

  • AfterLife permits the collection of physical memory contents from a system after a warm or cold reboot.
  • Live View (public version) is a Java-based graphical forensics tool that creates a VMware virtual machine out of a raw (dd-style) disk image or physical disk.
  • DINO is a lightweight front end for network visualization and utilizes the open source network monitoring tools SiLK and SNORT to create an easy-to-use dashboard for situational awareness.
  • LATK is a collection of command line and web-based tools for use in incident response and long-term analysis of web server and proxy server log data.
  • CERT Linux Forensics Tools Repository houses packages for Linux distributions. The repository provides useful tools for cyber forensics acquisition and analysis practitioners and is currently offering Fedora and Centos/RHEL.

Restricted Access

  • Live View LE allows forensic investigators to take a physical device or an image file of a disk or partition and automatically transform it into a virtual machine.
  • CCFinder is a suite of utilities designed to facilitate the discovery, organization, and query of financial data and related personally identifiable information in large-scale investigations.
  • CryptHunter alerts law enforcement if active encryption is running on a system so that investigators can act to preserve evidence that would be lost if the system were shut down.
  • ADIA is a VMware-based appliance used for digital investigation and acquisition.

By Request Only

  • C-CAP is a state-of-the-art forensics analysis environment that provides a broad set of tools for host-based and network investigations.
  • MCARTA is a completed incident analysis framework in respect to run-time analysis with automated log and pocket data correlation.

Use Our Insider Threat Datasets

Our insider threat test datasets provide both synthetic background data and data from synthetic malicious actors to support research projects that benefit from realistic insider threat data.


Get timely information about vulnerability discovery, coordination, and disclosure.