top of page

Free Open-Source Tools

These are tools we are confident in recommending because we have either produced, had a hand in developing, or have practical experience using them in real-time scenarios.

Save More Than Money with
Free AppSec Software & Services

Application security can be expensive. However, Free isn’t always a good thing. Unless those tools are properly vetted, they can end up costing you more time and money if they don't work as advertised, have lapsed in updates, or are extremely difficult to configure and analyze results.

Our team of product security experts has curated a shortlist of the top-performing tools across several vital functions that can assist security practitioners and teams of any size in enhancing their AppSec program.

Done-For-You Automated Penetration Testing by AppSec Experts

True Inspect is the “Easy Way” to do DAST Scans and Penetration Testing.

You just submit your information and the T+ Staff will run your scans for you and provide you with a report. There are two scan levels: Standard (Free) and Pro. Pro Scans offer greater detail and remediation guidance at a low cost.

Get a Free Scan at

page-0 (1).jpg

Download Sample Standard Report

Download Sample PRO Report


Browser-Based Manual Penetration Testing

PTK is an open-source utility that performs fast and effective web application vulnerability testing.

It strengthens analysis and saves time by making it simple to get detailed information about an application's security issues.

Built for penetration testers, offensive security teams, and developers — PTK powers productivity with advanced recon, weaponization, attack-exploit capability, and carefully matched utilities.​

Key Capabilities:

  • Chrome, Firefox, and MS Edge browsers supported.

  • Integrates with Selenium tests.

  • Executes modified HTTP requests without JavaScript validation, and sequence recording with HAR file output.

  • Handles authentication with normal user sessions – MFA/Captcha bypass via macro and traffic recording, bootstrap auth.

  • Inspects technology stack, security headers, crawled links, & domains.

  • Repeat a request or send to execute XSS, SQL, or OS Command injections on any particular request using traffic log detail.

Go to OWASP PTK to Download

Semgrep by R2C

Automated Penetration Tester

Semgrep is a fast, open-source, static analysis tool for modern languages. With 1,000+ existing rules and simple-to-create custom ones, it finds the bugs that matter.

Semgrep can run anywhere: in CI, your editor, or the command-line. Plus, with dedicated infrastructure from r2c, it’s easy to deploy, manage, and monitor Semgrep at scale.

Semgrep Logo.png

Key Capabilities:

  • Open Source CLI is FREE

  • Spots bugs that matter, immediately

  • Code validation – enforces standards on every commit

  • Guide developers toward writing more secure code

  • Provides rules, building blocks, and infrastructure that scales easily

  • Easy to write custom rules

What is True Positives (aka T+)?

T+ is a collective of highly versatile AppSec veterans and innovators who have served the application security industry for decades while working for companies such as:

Members of the True Positives Team have worked in high positions within the Microsoft Corporation.
Members of the True Positives team have worked for Intel..
Team members of True Positives have worked for Cisco Systems.
Symantec Logo.png
Members of the True Positives team have worked for ad withi Rapid 7.

Using their in-depth experience in the various nuances of software security, True Positives is a uniquely specialized application security value-added reseller (AppSecVAR) as well as a designer and developer of powerful and customized commercial solutions. 

Read More About T+

AppSec Peace of Mind Starts Here.
What Have You Got to Gain?

bottom of page