• CyberChef - a ‘Swiss army knife’ for security professionals
• John the Ripper password hash cracking tool
• Hydra - brute-forcing of passwords for network services
• Nmap network security scanner
• Tools from FacebookMeta:
  • Infer static analyzer (for Java, C, C++, Objective-C)
  • Pysa - static analysis of Python code
• PMD Java source scanner (general, but has some security features)
• FindSecurityBugs, a plugin for the SpotBugs Java scanner
• David Wheeler’s Flawfinder (for C/C++)
• RATS, the Rough Auditing Tool for Security (C, C++, Perl, PHP, Python)
• Metasploit Framework - exploit management for pen testing
• BaRMIe, a tool for enumerating and attacking Java RMI services
• sqlmap - pen testing for web application databases
• Nikto web server vulnerability assessment tool
• Radamsa fuzzing tool
• Boofuzz fuzzing engine and framework

See more reviewed in David Wheeler’s Static Analysis Tools for Security and at sectools.org.