Tooling

Pentest Linux Distributions

Kali, ParrotOS, BlackArch and friends — pre-loaded offensive-security workstations.

A pentest distro saves you a day of apt install and tool-chain hunting. Run them as a VM, USB-live, WSL, Docker, or daily-driver. For defensive / DFIR distros see Malware Analysis & Sandbox (REMnux) and DFIR & Velociraptor (SIFT, CAINE). For host hardening see Server Hardening.

Mainstream pentest distros

  • ★ ★ Kali Linux (Offensive Security) — the de-facto standard. Debian-based, 600+ tools, weekly rolling, official VMware / VirtualBox / Hyper-V / WSL / ARM / Raspberry Pi / cloud images. Kali Purple variant for blue-team / SOC. Free.
  • ParrotOS Security — Debian-based; lighter than Kali; AnonSurf built in for routing through Tor; includes development tools alongside offensive ones. Free.
  • BlackArch — Arch-based; 2,800+ packaged tools; install on top of an existing Arch host or use the standalone ISO. Free, rolling.
  • Athena OS — Arch-based; modern look; OSCP / HTB / THM tooling pre-grouped; rapidly growing 2024–26. Free.

Specialist distros

  • Pentoo — Gentoo-based; hardened kernel; for people who want to compile everything.
  • Tsurugi Linux — DFIR-focused (also has an offensive variant); Italian/Japanese maintainer team.
  • Commando VM (Mandiant / FireEye) — Windows pentest distro (PowerShell-heavy); installs on top of Windows 10/11.
  • FlareVM (Mandiant) — Windows reverse-engineering / malware-analysis distro; sister project to Commando.

Anonymity-focused live distros

  • Tails — Debian; routes everything through Tor; amnesic by default (no disk writes). For journalists, sources, and OPSEC-sensitive ops. Free.
  • Whonix — two-VM design (Gateway + Workstation); strong Tor isolation; can be paired with Qubes. Free.
  • Qubes OS — security-by-compartmentalization; every app runs in its own Xen VM; Joanna Rutkowska's project. Steep curve, real payoff.

DFIR / forensics distros

  • CAINE (Italian DFIR) — read-only mounting, write-blockers, evidence-handling tools. Free.
  • SIFT Workstation (SANS) — Ubuntu-based DFIR toolkit; free.
  • REMnux — malware-reverse-engineering Linux; free. See Malware Analysis.

How to run them

  • VM — VMware Workstation Player (free), VirtualBox (free), Hyper-V (free Win Pro), UTM (free macOS Apple Silicon). Snapshot before every engagement.
  • WSL2 — Kali ships an official WSL distro (wsl --install -d kali-linux); great for quick CLI work without spinning a VM.
  • Dockerkalilinux/kali-rolling for ephemeral tool runs; works for most CLI tools, not GUI.
  • USB live — Ventoy + ISO; portable, no install needed. Persistence partition for saving loot.
  • Cloud — AWS Marketplace ships official Kali AMIs; useful for cloud-native ops or "I need a public IP."
  • ARM / Raspberry Pi — Kali images for Pi 4/5; turn a Pi into a drop-box.

Cross-references

Pick this if…

  • Default offensive workstation: Kali Linux in a VM.
  • Lighter / nicer UX: ParrotOS.
  • Arch user / max tool count: BlackArch.
  • OPSEC-critical ops, journalist, source protection: Tails or Qubes + Whonix.
  • Pentesting from a Windows endpoint: WSL Kali + FlareVM/Commando dual-boot.
  • Forensics / IR responder: CAINE or SIFT.

On this page