Medusa is a bash orchestration toolkit that deploys and manages 35 open-source cybersecurity tools via an interactive menu or the command line.
Enregistrement.de.l.ecran.2026-04-01.142011.mp4
- Prerequisites
- Installation
- Usage
- Modules
- Architecture
- Environments
- Available tools
- Default ports
- Security
docker: required, container deploymentdocker composeordocker-compose: required, service orchestrationgit: required, cloning official repositoriescurl: recommended, downloading installerspython3: recommended, UUID generationpip3: recommended, installing CLI tools (semgrep, prowler…)openssl: recommended, password generation
Check prerequisites:
./medusa.sh checkgit clone https://github.com/WhiteMuush/medusa.git
cd medusa
chmod +x medusa.sh
./medusa.shNo external dependencies beyond the system prerequisites. Everything is contained in a single directory.
./medusa.shKeyboard navigation:
1–4: Select a module5: Status Dashboard6: Start all deployed tools7: Stop all toolsC: System configurationQ: Quit
./medusa.sh deploy <tool>
./medusa.sh start <tool|all>
./medusa.sh stop <tool|all>
./medusa.sh restart <tool>
./medusa.sh status [tool]
./medusa.sh logs <tool> [lines]
./medusa.sh remove <tool>
./medusa.sh list [soc|grc|integration|ot]
./medusa.sh check
./medusa.sh versionExamples:
./medusa.sh deploy wazuh
./medusa.sh start opencti
./medusa.sh logs misp 200
./medusa.sh list soc
ENV_NAME=audit_client ./medusa.sh deploy keycloak14 tools covering a full SOC stack: SIEM, XDR, NDR, CTI, SOAR, endpoint and network forensics.
5 tools for risk management, multi-framework compliance (ISO 27001, NIS2, DORA, GDPR), system hardening, and phishing simulation.
11 tools covering identity, secrets, container/IaC/cloud vulnerability scanning, SAST, DAST, and secret detection in repositories.
5 tools for passive industrial network monitoring, ICS/SCADA asset mapping, and OT vulnerability scanning.
medusa/
├── medusa.sh # Main entry point
├── lib/
│ ├── core.sh # Colors, utilities, Docker helpers, tool registry
│ ├── modules.sh # Interactive menus, dashboard, session init
│ ├── deploy_soc.sh # SOC deployment functions
│ ├── deploy_grc.sh # GRC deployment functions
│ ├── deploy_integration.sh # Integration deployment functions
│ └── deploy_ot.sh # OT deployment functions
└── medusa_deployments/
└── <env_name>/
└── <tool>/
├── docker-compose.yml
├── .env
└── credentials.txt # chmod 600
Each tool is isolated in its own subdirectory. Installation status is determined by the presence of docker-compose.yml (Docker tools) or .installed (CLI tools).
Medusa isolates each working context in a named environment. At startup, three options are offered:
1: Create a new environment with a custom name2: Load an existing environment3: Auto-generate a name (env_YYYYMMDD_HHMMSS)
Deployments are stored under medusa_deployments/<env_name>/. This allows maintaining separate contexts: lab, client audit, training, etc.
In CLI mode, set the environment via the ENV_NAME variable:
ENV_NAME=lab_soc ./medusa.sh deploy wazuh- wazuh
docker: SIEM/XDR, detection, response, compliance - security-onion
vm: NDR, network monitoring (Suricata + Zeek) - suricata
docker: High-performance network IDS/IPS - zeek
docker: Passive network traffic analysis - opencti
docker: CTI platform, threat intelligence - misp
docker: Indicators of compromise sharing - dfir-iris
docker: Case management, forensic investigation - cortex
docker: Observable enrichment and active response - velociraptor
docker: Endpoint forensics and threat hunting - shuffle
docker: SOAR, orchestration and automation - yara
cli: Malware detection rules - grr
docker: Remote incident response (Google) - arkime
docker: Network packet capture and indexing - sigma
cli: Generic multi-SIEM detection rules
- eramba
docker: GRC, policies, risks, compliance - ciso-assistant
docker: Lightweight GRC, multi-framework (NIS2, DORA, ISO 27001) - simplerisk
docker: Risk management, registers and scoring - openscap
cli: Compliance evaluation and system hardening - gophish
docker: Phishing simulation and awareness
- keycloak
docker: IAM, SSO, MFA, identity federation - teleport
cli: PAM, privileged access SSH/Kubernetes/DB - vault
docker: Secrets manager (dev mode) - trivy
cli: Container and IaC vulnerability scanner - semgrep
cli: SAST, static code analysis - owasp-zap
docker: DAST, web security scanner - gitleaks
cli: Secret detection in Git repositories - checkov
cli: Static IaC analysis (Terraform, Kubernetes) - prowler
cli: Cloud security audit AWS/Azure/GCP - scoutsuite
cli: Multi-cloud audit with HTML report - falco
docker: Cloud-native runtime threat detection
- malcolm
docker: OT network traffic analysis, industrial protocols (CISA) - grfics
vm: SCADA/ICS simulation for training labs - nmap
cli: Network mapping and industrial NSE scripts - openvas
docker: Network vulnerability scanner - grassmarlin
vm: Passive ICS/SCADA network mapping (NSA)
vmtools display manual deployment instructions (ISO, VirtualBox/VMware).
- Wazuh Dashboard :
443 - OpenCTI :
8080 - MISP :
443 - DFIR-IRIS :
4433 - Cortex :
9001 - Velociraptor GUI :
8889 - Shuffle :
3443 - GRR :
8001 - Eramba :
8443 - CISO Assistant :
8443 - SimpleRisk :
8445 - GoPhish Admin :
3333 - Keycloak :
8180 - Vault :
8200 - OWASP ZAP :
8090 - Greenbone/OpenVAS :
9392 - Arkime :
8005 - Falco : daemon (no web interface)
- Passwords are randomly generated (24 alphanumeric characters via
openssl) - Each
credentials.txtfile is created withchmod 600 - The
medusa_deployments/directory must never be committed (see.gitignore) - Vault is deployed in dev mode by default: in-memory data only, do not use in production
- The script warns when run as
rootbut does not block execution
Contributions are welcome. See CONTRIBUTING.md for local setup, code conventions, and the PR checklist. The recipe for adding a new tool is in docs/ADDING_A_TOOL.md, and the internal architecture is documented in docs/ARCHITECTURE.md.
To report a vulnerability, see SECURITY.md — do not open a public issue.