
Free Open-Source Tools
These are tools we are confident in recommending because we have either produced, had a hand in developing, or have practical experience using them in real-time scenarios.
Save More Than Money with
Free AppSec Software & Services
Application security can be expensive. However, Free isn’t always a good thing. Unless those tools are properly vetted, they can end up costing you more time and money if they don't work as advertised, have lapsed in updates, or are extremely difficult to configure and analyze results.
Our team of product security experts has curated a shortlist of the top-performing tools across several vital functions that can assist security practitioners and teams of any size in enhancing their AppSec program.

Done-For-You Automated Penetration Testing by AppSec Experts
True Inspect is the “Easy Way” to do DAST Scans and Penetration Testing.
You just submit your information and the T+ Staff will run your scans for you and provide you with a report. There are two scan levels: Standard (Free) and Pro. Pro Scans offer greater detail and remediation guidance at a low cost.
​
Download Sample Standard Report
Download Sample PRO Report
OWASP PTK
Browser-Based Manual Penetration Testing
PTK is an open-source utility that performs fast and effective web application vulnerability testing.
It strengthens analysis and saves time by making it simple to get detailed information about an application's security issues.
Built for penetration testers, offensive security teams, and developers — PTK powers productivity with advanced recon, weaponization, attack-exploit capability, and carefully matched utilities.​
Key Capabilities:
-
Chrome, Firefox, and MS Edge browsers are supported.
-
Integrates with Selenium tests.
-
Executes modified HTTP requests without JavaScript validation, and sequence recording with HAR file output.
-
Handles authentication with normal user sessions – MFA/Captcha bypass via macro and traffic recording, bootstrap auth.
-
Inspects technology stack, security headers, crawled links, & and domains.
-
Repeat a request or send to execute XSS, SQL, or OS Command injections on any particular request using traffic log detail.
​
Cherrybomb by BLST
Command Line Interface (CLI) Tester
T+ is proud to partner with BLST, makers of Cherrybomb.
​
Cherrybomb is a CLI tool that helps you avoid undefined user behavior by validating your API specifications and running API security tests.
​
Cherrybomb reads your API spec file (Open API Specification) and validates it for best practices and the OAS specification, then it tests to verify that the API follows the OAS file and tests for common vulnerabilities.
The output is a detailed table with any issues found, guiding you to the exact problem and location to help you solve it quickly.

Key Capabilities:
-
OAS 3.x Support
-
Quick installation
-
Passive check
​
​
-
Active tester
-
Endpoints listing
-
Parameter table
-
Optimized CI Pipelines
What is True Positives (aka T+)?
T+ is a collective of highly versatile AppSec veterans and innovators who have served the application security industry for decades while working for companies such as:




Using their in-depth experience in the various nuances of software security, True Positives is a uniquely specialized application security value-added reseller (AppSecVAR) as well as a designer and developer of powerful and customized commercial solutions.