Skip to content

WhiteMuush/Medusa

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

21 Commits
.github
.github
 
 
docs
docs
 
 
lib
lib
 
 
.editorconfig
.editorconfig
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
medusa.sh
medusa.sh
 
 

Repository files navigation

MedusaGIF

License: MIT CI Wiki PRs Welcome

Medusa is a Bash orchestration toolkit that deploys and manages 35 open-source cybersecurity tools through an interactive menu or the command line. Each tool runs isolated in its own directory, grouped into named environments, deployed via Docker Compose or installed as a CLI binary.

Enregistrement.de.l.ecran.2026-04-01.142011.mp4

Highlights

  • Single entry point, pure Bash, no runtime dependency beyond the system prerequisites.
  • 35 tools across 4 modules: SOC, GRC, Integration, OT.
  • Two interfaces, an interactive TUI and a scriptable CLI.
  • Environment isolation, separate deployment trees for lab, audit, training.
  • No database, no daemon, the filesystem under medusa_deployments/ is the single source of truth.

Quick start

git clone https://github.com/WhiteMuush/Medusa.git
cd Medusa
chmod +x medusa.sh
./medusa.sh check      # verify prerequisites
./medusa.sh            # launch interactive menu

Non-interactive usage:

./medusa.sh deploy wazuh
./medusa.sh start opencti
./medusa.sh logs misp 200
./medusa.sh list soc
ENV_NAME=audit_client ./medusa.sh deploy keycloak

Prerequisites: docker, docker compose (or docker-compose), git required; curl, python3, pip3, openssl recommended. Run ./medusa.sh check to verify.

Documentation

Full documentation lives in the Wiki.

Topic Page
Prerequisites, install, uninstall Installation
Every command and the menu Usage
Environment variables and the config page Configuration
Layout, boot sequence, registry, state model Architecture
Named contexts and isolation Environments
Per-tool details, ports, credentials SOC · GRC · Integration · OT
Default ports and collisions Ports Reference
Hardening notes Security
Common problems Troubleshooting · FAQ
Add a tool, contribute Adding a Tool · Contributing

Modules

# Module Tools Scope
1 SOC / Detection & Response 14 SIEM, XDR, NDR, CTI, SOAR, endpoint and network forensics
2 GRC / Governance & Compliance 5 Risk, multi-framework compliance (ISO 27001, NIS2, DORA, GDPR), hardening, phishing
3 Integration (IAM, Cloud, CI/CD) 11 Identity, secrets, container/IaC/cloud scanning, SAST, DAST, secret detection
4 OT / Industrial Security 5 Passive ICS monitoring, SCADA asset mapping, OT vulnerability scanning

Available tools

SOC / Detection & Response

  • wazuh docker, SIEM/XDR, detection, response, compliance
  • security-onion vm, NDR, network monitoring (Suricata + Zeek)
  • suricata docker, high-performance network IDS/IPS
  • zeek docker, passive network traffic analysis
  • opencti docker, CTI platform, threat intelligence
  • misp docker, indicators of compromise sharing
  • dfir-iris docker, case management, forensic investigation
  • cortex docker, observable enrichment and active response
  • velociraptor docker, endpoint forensics and threat hunting
  • shuffle docker, SOAR, orchestration and automation
  • yara cli, malware detection rules
  • grr docker, remote incident response (Google)
  • arkime docker, network packet capture and indexing
  • sigma cli, generic multi-SIEM detection rules

GRC / Governance & Compliance

  • eramba docker, GRC, policies, risks, compliance
  • ciso-assistant docker, lightweight GRC, multi-framework (NIS2, DORA, ISO 27001)
  • simplerisk docker, risk management, registers and scoring
  • openscap cli, compliance evaluation and system hardening
  • gophish docker, phishing simulation and awareness

Integration (IAM, Cloud, CI/CD)

  • keycloak docker, IAM, SSO, MFA, identity federation
  • teleport cli, PAM, privileged access SSH/Kubernetes/DB
  • vault docker, secrets manager (dev mode)
  • trivy cli, container and IaC vulnerability scanner
  • semgrep cli, SAST, static code analysis
  • owasp-zap docker, DAST, web security scanner
  • gitleaks cli, secret detection in Git repositories
  • checkov cli, static IaC analysis (Terraform, Kubernetes)
  • prowler cli, cloud security audit AWS/Azure/GCP
  • scoutsuite cli, multi-cloud audit with HTML report
  • falco docker, cloud-native runtime threat detection

OT / Industrial Security

  • malcolm cli, OT network traffic analysis, industrial protocols (CISA)
  • grfics vm, SCADA/ICS simulation for training labs
  • nmap cli, network mapping and industrial NSE scripts
  • openvas docker, network vulnerability scanner
  • grassmarlin vm, passive ICS/SCADA network mapping (NSA)

vm tools print manual deployment instructions (ISO, VirtualBox/VMware), no automated deployment.

Security

  • Generated passwords use openssl (24 alphanumeric chars); each credentials.txt is chmod 600.
  • Docker images are pinned to specific versions (Greenbone's feed images are the documented exception).
  • Vault is deployed in dev mode, in-memory only, never for production.
  • medusa_deployments/ is git-ignored and must never be committed.
  • Some tools ship fixed upstream default credentials (Wazuh, MISP, Eramba, OpenVAS), rotate them immediately.

Details and the full hardening checklist: Security. Report vulnerabilities via SECURITY.md, not a public issue.

Contributing

Contributions are welcome. The recipe to add a tool is Adding a Tool; workflow and conventions are in CONTRIBUTING.md.

License

MIT

About

Medusa is an orchestration bash toolkit that deploys and manages 35 open source cybersecurity tools via an interactive menu or command line.

Topics

security-tools devsecops pentest-tool cybersecurity-tools

Resources

Readme

License

MIT license

Code of conduct

Code of conduct

Contributing

Contributing

Security policy

Security policy
Activity

Stars

36 stars

Watchers

0 watching

Forks

10 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages