PRACTITIONER GUIDE | SECURITY OPERATIONS
Practitioner GuideUpdated 15 min read

Zero-Budget Security Stack: 7 Free Tools That Actually Work Together

$0
licensing cost for the full stack described in this guide, Wazuh, Zeek, Velociraptor, OpenSearch, and Greenbone
15+
free and open-source tools covering detection, monitoring, network analysis, vulnerability scanning, and response
80%
approximate coverage of commercial SIEM and EDR capabilities achievable with the open-source stack described here
6
security control categories covered: host monitoring, network detection, vulnerability management, DFIR, log analysis, alerting

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

The most common reason small security teams do not have basic detection coverage is not lack of skill or lack of time. It is the assumption that real security tools cost real money. That assumption is wrong. A team of two to three practitioners can build a functional security stack covering endpoint visibility, log aggregation, network detection, vulnerability scanning, identity monitoring, threat intelligence, and phishing defense entirely from free and open-source tools. This guide covers the seven tools that form that stack, how each one integrates with the others, and the deployment sequence that gets you from zero to operational coverage in under 30 days.

Why Most Free Security Tool Lists Fail You

Most lists of free security tools are actually lists of demos, freemium tiers, or abandoned projects that were last updated in 2018. This guide applies three filters before including any tool: it must be actively maintained (commit activity in the last 90 days), it must be deployable by a small team without vendor professional services, and it must produce output that a practitioner can act on, not just dashboards with green lights.

The second problem with most lists is they treat tools as independent items. Real security coverage requires integration. A vulnerability scanner that cannot feed findings into your SIEM, and a SIEM that cannot correlate endpoint alerts with network anomalies, leaves you with three separate consoles and no ability to see attack chains. This stack is designed around integration as a first-class requirement.

Tool 1: Wazuh (Endpoint Detection and Log Aggregation)

Wazuh is a free, open-source XDR and SIEM platform that replaces two of the most expensive categories in a commercial security stack. It provides host-based intrusion detection, file integrity monitoring, vulnerability detection, log collection and aggregation, and a web dashboard for alert triage, all from a single agent-plus-manager architecture.

Why it leads the stack: Wazuh is the integration hub that everything else feeds into. Once your Wazuh manager is running, all other tools in this list can ship their logs and alerts to Wazuh for centralized correlation.

Deployment: Install the Wazuh manager on a dedicated Linux host (4 vCPUs, 8 GB RAM handles up to 50 agents comfortably). Deploy the Wazuh agent to every endpoint. The agent collects Windows Event Logs, Linux syslog, macOS unified logs, and application logs from paths you define. Out of the box, Wazuh includes rules for detecting common attack techniques: brute force authentication, privilege escalation, web shell activity, rootkit indicators, and policy violations.

Integration points: Wazuh natively ingests Zeek logs (Tool 2), OpenVAS findings (Tool 3), and supports custom log parsers for any other text-based log source. It also supports webhook output to Slack or Teams for alert notifications.

Limitation to know: Wazuh's default ruleset generates significant noise without tuning. Spend the first two weeks after deployment identifying your top 10 noisiest rules and suppressing known-good activity before treating alert volume as meaningful.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Tool 2: Zeek (Network Visibility and Protocol Analysis)

Zeek (formerly Bro) is a network analysis framework that passively monitors network traffic and generates structured log files covering every connection, DNS query, HTTP request, SSL certificate, file transfer, and authentication event it observes. It does not generate alerts by default. Instead, it produces a rich stream of structured logs that are far more useful than raw packet captures for detection engineering and threat hunting.

Why network visibility matters: Endpoint agents miss activity that happens between hosts, between network segments, or on devices that cannot run agents (printers, IoT, OT equipment, network gear). Zeek fills this gap.

Deployment: Zeek runs on a Linux host with a network interface in promiscuous mode, positioned at a network tap or SPAN port. For small environments with a single internet uplink, deploying Zeek inline at the perimeter captures most high-value traffic. The log output is written to files in /usr/local/zeek/logs/ by default.

Integration with Wazuh: Configure Wazuh to monitor Zeek's log directory. Add a custom Wazuh decoder for Zeek's JSON format (the Wazuh community maintains one). Once connected, Wazuh can correlate Zeek network events with host-level events from the Wazuh agent, enabling detections like: endpoint makes outbound connection to IP that was observed in Zeek DNS logs as a newly registered domain.

High-value Zeek logs: conn.log (all connections with bytes transferred, duration, originator/responder), dns.log (all DNS queries and responses), ssl.log (TLS certificate details including self-signed certs and certificate mismatches), http.log (all HTTP requests with user agents and response codes), files.log (all file transfers with MIME type and MD5 hash).

Tool 3: OpenVAS / Greenbone Community Edition (Vulnerability Scanning)

OpenVAS, now distributed as Greenbone Community Edition, is a full-featured vulnerability scanner that checks systems against a database of over 50,000 network vulnerability tests (NVTs) and maps findings to CVE identifiers and CVSS scores. It is the open-source equivalent of Nessus Essentials but without the 32-IP scan limit.

Deployment: Install the Greenbone Community Edition via Docker (the recommended path as of 2024) or via packages on Kali Linux or Debian. The Docker compose deployment runs the full stack (scanner, manager, web UI) with a single command. Greenbone feeds update daily via the Greenbone Community Feed.

Scan strategy for small teams: Run authenticated scans (providing OS credentials to the scanner) against all internal hosts weekly. Authenticated scans detect locally installed software vulnerabilities, missing patches, and misconfigurations that unauthenticated scans miss entirely. Unauthenticated scans are appropriate for internet-facing assets and network devices.

Integration with Wazuh: The Greenbone Manager exposes an API (GMP protocol) that allows automated export of findings. The Wazuh vulnerability detection module can be configured to import Greenbone scan results and correlate them with agent data to identify which running hosts have which vulnerabilities, enabling risk-prioritized alerting.

Tool 4: Sysmon (Windows Endpoint Telemetry)

Sysmon (System Monitor) is a free Windows system service from Microsoft's Sysinternals suite that generates detailed event logs for process creation, network connections, file creation, registry changes, DNS queries, and driver loads. It dramatically improves the detection value of Windows Event Logs by adding command-line arguments, parent process context, and network connection details that the default Windows audit policy does not capture.

Deployment: Sysmon is a single EXE that installs as a Windows service. The critical variable is the configuration file, which controls what Sysmon logs and what it ignores. The most widely used starting configuration is the SwiftOnSecurity Sysmon configuration on GitHub, which is actively maintained and tuned to reduce noise while retaining high-value events. Do not run Sysmon without a configuration file; the default config generates excessive volume.

Integration with Wazuh: The Wazuh Windows agent automatically collects Sysmon events from the Windows Event Log (Microsoft-Windows-Sysmon/Operational channel). Wazuh ships with built-in rules for common Sysmon-based detections: process injection indicators, credential dumping patterns (LSASS access), lateral movement via remote services, and persistence via scheduled task creation.

When to skip Sysmon: If you already have a commercial EDR deployed (CrowdStrike, SentinelOne, Microsoft Defender for Endpoint), Sysmon is redundant. Those platforms collect the same telemetry and more. Sysmon is the right choice when you have Windows endpoints with no other endpoint agent.

Tool 5: CrowdSec (Collaborative Threat Intelligence and IP Blocking)

CrowdSec is a free, open-source intrusion prevention system that combines local behavioral detection with a crowd-sourced threat intelligence network. When CrowdSec detects an attack (brute force, web scraping, exploitation attempts), it can automatically block the source IP via firewall integration. More importantly, it shares anonymized attack data with a global network and receives reputation data back, giving you access to IP reputation signals from thousands of organizations at no cost.

Deployment: CrowdSec installs on any Linux host. The Security Engine (the detection component) reads log files you point it at (SSH auth logs, web server access logs, application logs) and applies behavioral detection scenarios. Bouncers (the blocking components) integrate with your firewall, Nginx, HAProxy, or cloud security groups to act on decisions.

Why this matters for small teams: The CrowdSec threat intelligence network means your block list is continuously updated based on what other organizations are seeing. A newly active scanning bot or exploitation campaign that hits other CrowdSec users will be in your block list before it reaches your infrastructure, without requiring you to maintain your own threat intel pipeline.

Integration with Wazuh: CrowdSec logs its detection decisions in JSON format. Configure Wazuh to monitor CrowdSec's decision log for correlation with other signals. An IP that CrowdSec blocked at your perimeter that also appears in Zeek connection logs from an internal host is a high-priority investigation signal.

Tool 6: Canary Tokens (Deception-Based Detection)

Canary tokens from canarytokens.org are free, instrumented decoy files, URLs, and credentials that generate an alert when accessed or used. They are one of the highest signal-to-noise detection mechanisms available. When a canary token fires, it means something or someone accessed a file or resource that has no legitimate business reason to be accessed. False positive rate: near zero.

Types relevant to a small team:

Word document tokens: Drop a document named something like Salary_Data_2026.docx or IT_Passwords.xlsx in a network share. If it is opened, you get an immediate alert with the source IP and username. This detects insider threats and attackers doing file reconnaissance after initial compromise.

DNS tokens: Create a DNS canary token and embed the domain in a web application configuration file, a cloud credentials file, or a backup script. If the file is exfiltrated and the credential is used, the DNS token fires from the attacker's infrastructure.

AWS key tokens: Generate a canary AWS access key pair. Store it in a location where real credentials would be kept (a developer's dotfiles, a CI config). If the key is ever used, you get an alert with the AWS API call made and the source IP, which is almost certainly the attacker's infrastructure.

Deployment: Create tokens at canarytokens.org (no account required, tokens are free). Configure alert delivery to your email or a webhook. For Wazuh integration, configure the webhook to POST to a custom API endpoint that logs the event to a file Wazuh monitors.

Placement strategy: Seed canary tokens throughout your highest-value locations: file shares, backup directories, admin credential stores, cloud configuration repositories, and developer environments. More tokens in more locations means faster detection when an attacker is moving laterally.

Tool 7: Have I Been Pwned API (Credential Exposure Monitoring)

Have I Been Pwned (HIBP) offers a free API tier that lets you check email addresses against its database of compromised credentials from data breaches. For organizations, the domain search API (free for organizational use after verification) lets you check all email addresses at your domain against the breach database automatically.

Why this matters operationally: When employee credentials appear in a public breach, the exposed password may also be used on corporate systems (password reuse). Getting this notification allows you to force a password reset and review for unauthorized access before an attacker exploits the reuse.

Deployment: Use HIBP's domain notification feature by verifying your domain ownership and setting up email alerts. For automation, query the API programmatically. A simple Python script that runs weekly, queries HIBP for your domain, and sends new breach notifications to your ticketing system or Slack can be built in under an hour.

Integration with the broader stack: When HIBP reports that a set of your users appeared in a breach, cross-reference those user accounts in Wazuh for authentication anomalies in the days following the breach date. Attackers who buy breached credentials often test them within 48-72 hours of the breach being published to criminal forums.

The 30-Day Deployment Sequence

Do not try to deploy all seven tools simultaneously. The following sequence minimizes dependencies and gets you to meaningful coverage progressively.

Week 1: Wazuh manager and agents. Get log collection and baseline alerting running first. This is your integration hub; everything else connects to it.

Week 2: Sysmon on Windows endpoints. Install with SwiftOnSecurity config. Confirm Wazuh is collecting Sysmon events and review the additional detection coverage it enables.

Week 3: Zeek at the perimeter. Deploy to a Linux host with SPAN port access. Configure Wazuh to ingest Zeek logs. Run your first threat hunting queries against Zeek DNS logs for newly registered domains and unusual protocol patterns.

Week 4: OpenVAS authenticated scan of internal hosts. Review the top 20 critical findings. Create a prioritized remediation list. Configure weekly scheduled scans.

Week 5: CrowdSec on internet-facing systems. Install on your web server, SSH gateway, and VPN concentrator. Review the first week of block decisions to confirm accuracy.

Week 6: Canary tokens. Deploy 10-15 tokens across your highest-risk locations: admin credential stores, file shares, cloud configuration files. Document where each token is deployed.

Ongoing: HIBP domain monitoring. Set up the notification subscription and create a runbook for handling breach notifications (force reset for affected accounts, review auth logs for 30 days prior).

What This Stack Cannot Do

Be honest with yourself about the gaps this stack does not cover, so you can make risk-informed decisions about where to spend a limited budget.

Email security: This stack has no email gateway, sandboxing, or anti-phishing capability. Email is the primary initial access vector in 90% of breaches. If you have budget for exactly one paid tool, an email security platform (Proofpoint Essentials, Microsoft Defender for Office 365, or even Google Workspace's built-in protections) should be it.

Cloud posture: If you operate in AWS, Azure, or GCP, this stack does not cover cloud misconfiguration or API-level detection. Use each cloud provider's native free tier tools (AWS Security Hub free tier, Azure Security Center free tier) to cover cloud-specific risks.

Endpoint response: Wazuh and Sysmon give you detection visibility on endpoints but limited automated response capability. Isolating a compromised host, killing a malicious process, and collecting forensic memory dumps all require manual intervention or a paid EDR platform.

Advanced persistent threats: Sophisticated nation-state actors with custom tooling specifically designed to evade common detection rules will not be caught by this stack. This stack is calibrated for the commodity threat landscape: ransomware affiliates, opportunistic exploitation, credential stuffing, and insider threats. If you are a high-value target for nation-state actors, you need commercial tooling and a dedicated security team.

The bottom line

Seven free tools cover the detection gaps that matter most for organizations without a dedicated security budget: Wazuh for endpoint detection and log aggregation, Zeek for network visibility, OpenVAS for vulnerability scanning, Sysmon for Windows telemetry, CrowdSec for perimeter threat intelligence, Canary Tokens for deception-based detection, and HIBP for credential exposure monitoring. Deploy them in sequence over 30 days. Integrate each tool into Wazuh as you go. The result is not a best-in-class commercial stack, but it is dramatically better than the spreadsheet-and-hope approach most small teams default to, and it costs nothing but time.

Frequently asked questions

Is Wazuh actually comparable to commercial SIEM platforms like Splunk or Microsoft Sentinel?

For core use cases of log aggregation, rule-based alerting, and file integrity monitoring, Wazuh is genuinely capable. Where it falls short of commercial platforms: search performance at large scale (Splunk and Elastic handle terabyte-scale queries far faster), the ecosystem of pre-built integrations (commercial SIEMs have hundreds of vendor connectors), and advanced analytics features like UEBA and ML-based anomaly detection. For an organization ingesting under 50 GB per day with a team willing to do configuration work, Wazuh is a reasonable primary SIEM. For enterprise-scale deployments or teams that need out-of-the-box vendor integrations, it is better used as a component in a broader architecture.

How much infrastructure do I need to run this full stack?

The core components (Wazuh manager, Zeek, OpenVAS, CrowdSec) can run on 3-4 Linux hosts. Wazuh manager needs the most resources: 4 vCPUs and 8 GB RAM handles up to 50 agents. Zeek on a network tap needs 2 vCPUs and 4 GB RAM for most small office environments. OpenVAS scanning is intermittent and can share hardware with other tools when not actively scanning. If you are running on cloud infrastructure (AWS, GCP, Azure), the monthly cost for this hardware is typically $150-$300 per month for appropriately sized instances. On-premises, these can run on existing server hardware or even older desktops if the load is manageable.

What is the difference between Wazuh and the ELK stack (Elasticsearch, Logstash, Kibana)?

Wazuh actually runs on top of the Elastic stack in its default configuration. Wazuh provides the security-specific layer: agents, decoders, rules, and alert logic. Elasticsearch provides the data storage and search engine, and Kibana (now OpenSearch Dashboards in Wazuh's distribution) provides the visualization layer. You can also run Wazuh with a standalone indexer instead of Elasticsearch. The ELK stack alone is a general-purpose log management platform with no security-specific rules or agents. Wazuh turns it into a security-focused SIEM by adding the agent deployment and rule engine on top.

Can this stack satisfy compliance requirements like SOC 2 or PCI DSS?

Partially. Wazuh's log collection, file integrity monitoring, and audit trail capabilities address several controls in SOC 2 (CC7.2, CC6.8) and PCI DSS (Requirement 10 for logging, Requirement 11 for vulnerability scanning with OpenVAS). However, compliance auditors will also ask about your log retention policies, evidence of rule tuning and maintenance, incident response procedures, and access controls to the security tooling itself. The tools provide the technical capability, but your procedures and documentation determine whether an auditor will accept them. Engaging your auditor early to confirm which tools they will accept evidence from is recommended before committing to this stack for compliance purposes.

How do canary tokens work for detecting insider threats specifically?

Canary tokens work for insider threats because they are tripwires in locations that only someone with internal access would find. An external attacker typically hits your perimeter before finding a canary token in a file share. An insider browsing file shares looking for sensitive data will encounter canary-named files (Salary_Data_2026.docx, Board_Acquisition_Targets.pdf) and may open them out of curiosity. When they do, you get an alert with the exact user account and workstation that accessed the file. This gives you a high-confidence indicator of internal reconnaissance even before any data is actually exfiltrated. The key is naming the files convincingly so they look like real high-value documents.

What should I do first if I have no security tools at all?

Start with Wazuh agent deployment on every endpoint that can run an agent. Log collection is the foundation of every other detection and investigation capability. Without logs, you cannot investigate an incident after the fact, cannot write detection rules, and cannot demonstrate compliance. Once Wazuh is collecting logs, add Sysmon on Windows endpoints for enriched telemetry. Then deploy OpenVAS and run your first authenticated vulnerability scan to understand your highest-risk exposures. Everything else builds on that foundation. The Wazuh plus Sysmon plus OpenVAS combination gives you the most coverage per hour of deployment effort.

Are there free alternatives to CrowdStrike or SentinelOne for endpoint detection and response?

Microsoft Defender Antivirus is free on all modern Windows systems and, when managed through Microsoft Defender for Endpoint (which requires a Microsoft 365 license), provides EDR-class capabilities. For organizations without Microsoft 365, Wazuh plus Sysmon covers most of the detection use cases of a commercial EDR but with manual response processes instead of automated containment. Truly free EDR-class endpoint response tools (automated isolation, process kill, forensic memory collection) with comparable coverage to commercial platforms do not currently exist. The open-source options require significantly more operational maturity and manual intervention than commercial EDR platforms for incident response actions.

Sources & references

  1. Wazuh Open Source XDR
  2. Zeek Network Security Monitor
  3. OpenVAS Vulnerability Scanner

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.