Python is the language of choice for security professionals who need to automate repetitive tasks, investigate incidents faster, and build custom tooling that commercial products simply cannot provide. In this article, you will build four practical security tools from scratch: a port scanner, a file hash verifier, a log analyzer, and a basic network packet inspector.
Security teams are perpetually understaffed relative to the volume of work they face. The ISC2 2024 Cybersecurity Workforce Study estimated a global shortage of roughly 4.8 million security professionals. Every hour spent manually checking open ports on a new server, verifying that a downloaded binary has not been tampered with, or scrolling through thousands of log lines for a single suspicious IP is an hour not spent on higher-value analysis. Python removes that friction. Its standard library covers sockets, hashing, regular expressions, and file I/O without installing anything extra, and the broader ecosystem adds capabilities like raw packet crafting when you need them.
Each tool in this article is written to be immediately runnable and genuinely useful, not a toy demonstration. By the end you will have a foundation you can extend, combine, and deploy in real environments.
Only run scanning, sniffing, or inspection tools against systems you own or have explicit written permission to test. No United States federal law explicitly criminalizes port scanning, but unauthorized scanning can still trigger legal risk under the Computer Fraud and Abuse Act (18 U.S.C. § 1030) if it causes damage or leads to unauthorized access. The 2000 ruling in Moulton v. VC3 found that a port scan alone did not constitute a CFAA violation, but individual state computer crime laws vary significantly, and jurisdictions outside the United States may treat scanning differently. All examples below assume you are working in a lab environment or on your own infrastructure.
Why Python for Security Automation
Security tooling has historically been dominated by C, Perl, and shell scripting. Python displaced all three for automation tasks because it hits the right balance: fast enough for network I/O and file processing, expressive enough that a ten-line function does something meaningful, and readable enough that a colleague can audit your code without a whiteboard session.
The language also has a uniquely deep footprint in security specifically. Frameworks like Metasploit expose Python-accessible RPC APIs, Scapy is Python-native, and virtually every SIEM and threat intelligence platform provides a Python SDK or REST API you can call from a script. The SANS SEC573 course, authored by SANS Faculty Fellow and Internet Storm Center CTO Mark Baggett, is built entirely around Python as the foundation for security automation -- a reflection of how central the language has become to both offensive and defensive operations. When you learn to build security tools in Python, you are learning in the same environment where professional red teamers, blue teamers, and malware analysts work.
From a practical standpoint, Python's socket, hashlib, re, and subprocess modules cover the vast majority of security automation use cases with no external dependencies at all. When you do need third-party packages, the pip ecosystem has you covered: scapy for packet work, requests for HTTP-based API calls, paramiko for SSH automation, and many others.
"Python is a tool required in the world of InfoSec."
-- Student review, SANS SEC573: AI-Powered Security Automation
Google's Cybersecurity Certificate program on Coursera dedicates an entire course to automating security tasks with Python, reinforcing how central the language has become to professional security workflows. The tools you build in this article use the same core libraries and patterns that underpin those professional training programs.
Create a dedicated virtual environment for your security tools with python -m venv sectools and activate it before installing anything. This keeps your tool dependencies isolated from your system Python and makes it easy to document exact package versions for reproducibility.
Every security tool answers a version of the same question: what is on my network, and is it what I expect? The four tools ahead each probe a different dimension of that question. The port scanner asks what services are exposed. The hash verifier asks whether files are intact. The log analyzer asks who has been here, and what did they want. The packet inspector asks what is happening on the wire right now. Together they form a layered view of the same underlying reality.
Keep that through-line in mind as you build each one. The code will make more sense when you see it as part of a system, not four isolated scripts.
Tool 1: Port Scanner
A port scanner probes a target host to determine which TCP ports are accepting connections. Understanding which ports are open on a system is one of the first steps in both attack surface analysis and network inventory management. This version uses Python's socket module and the concurrent.futures thread pool to scan efficiently without blocking on each connection attempt.
import socket
import concurrent.futures
from datetime import datetime
TARGET = "127.0.0.1" # Replace with your target IP or hostname
PORT_RANGE = range(1, 1025)
TIMEOUT = 0.5 # Seconds to wait before marking a port as closed
def scan_port(host: str, port: int) -> int | None:
"""Return the port number if open, otherwise None."""
try:
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock:
sock.settimeout(TIMEOUT)
result = sock.connect_ex((host, port))
if result == 0:
return port
except socket.error:
pass
return None
def run_scan(host: str, ports) -> list[int]:
open_ports = []
with concurrent.futures.ThreadPoolExecutor(max_workers=100) as executor:
futures = {executor.submit(scan_port, host, port): port for port in ports}
for future in concurrent.futures.as_completed(futures):
result = future.result()
if result is not None:
open_ports.append(result)
return sorted(open_ports)
if __name__ == "__main__":
print(f"Scanning {TARGET} — started at {datetime.now().strftime('%H:%M:%S')}")
open_ports = run_scan(TARGET, PORT_RANGE)
if open_ports:
print(f"\nOpen ports on {TARGET}:")
for port in open_ports:
try:
service = socket.getservbyport(port, "tcp")
except OSError:
service = "unknown"
print(f" {port:5d} {service}")
else:
print("No open ports found in the specified range.")
print(f"\nScan complete at {datetime.now().strftime('%H:%M:%S')}")A few things worth noting about this implementation. The connect_ex method returns an error code rather than raising an exception, which makes the control flow cleaner than wrapping connect in a try/except for the normal case. Setting a short timeout (0.5 seconds) keeps the scan fast on unresponsive ports while still being generous enough to catch slow-responding services on a local network. The thread pool with 100 workers means you are probing up to 100 ports simultaneously, which reduces total scan time on a /1024 range from several minutes to a few seconds.
The socket.getservbyport call at the end attempts to resolve the port number to a known service name using the system's service database. It will return names like ssh, http, or https for well-known ports, and fall back to unknown for anything not in the database.
This scanner performs a TCP connect scan (sometimes called a full-open scan), meaning it completes the full three-way handshake (SYN, SYN-ACK, ACK) on every open port. This is the most reliable scan type but also the most visible -- each successful connection generates a log entry on the target system. A SYN scan (half-open) sends only the initial SYN and reads the response without completing the handshake, making it stealthier but requiring raw socket privileges. Scapy supports SYN scanning if you need that capability, and Nmap's -sS flag is the industry-standard implementation.
A port scan is an inventory, not an attack
Think of open ports as doors in a building. The scan does not tell you what is behind each door, whether the door is locked, or whether the person inside is friendly. It tells you the doors exist. That is the first thing you need to know, and everything else follows from it. The hash verifier (next) will help confirm that what is behind one of those doors has not been tampered with. The log analyzer will tell you who has been knocking.
Tool 2: File Hash Verifier
Verifying file integrity is a foundational security practice. When you download software, receive files over email, or pull artifacts from a build pipeline, comparing the file's cryptographic hash against a known-good value tells you whether the file has been altered in transit or at rest. This tool computes SHA-256 and MD5 hashes for any file and optionally compares them against an expected value you provide.
import hashlib
import sys
from pathlib import Path
BUFFER_SIZE = 65536 # Read in 64KB chunks to handle large files without loading into memory
def compute_hashes(filepath: Path) -> dict[str, str]:
"""Compute SHA-256 and MD5 hashes for the given file."""
sha256 = hashlib.sha256()
md5 = hashlib.md5()
with open(filepath, "rb") as f:
while chunk := f.read(BUFFER_SIZE):
sha256.update(chunk)
md5.update(chunk)
return {
"sha256": sha256.hexdigest(),
"md5": md5.hexdigest(),
}
def verify_hash(filepath: Path, expected: str) -> bool:
"""Return True if the file's SHA-256 matches the expected value."""
hashes = compute_hashes(filepath)
return hashes["sha256"].lower() == expected.lower()
def main():
if len(sys.argv) < 2:
print("Usage: python hash_verifier.py [expected_sha256]")
sys.exit(1)
filepath = Path(sys.argv[1])
if not filepath.exists():
print(f"Error: File not found: {filepath}")
sys.exit(1)
hashes = compute_hashes(filepath)
print(f"\nFile: {filepath}")
print(f"Size: {filepath.stat().st_size:,} bytes")
print(f"\nSHA-256: {hashes['sha256']}")
print(f"MD5: {hashes['md5']}")
if len(sys.argv) == 3:
expected = sys.argv[2]
match = verify_hash(filepath, expected)
status = "MATCH" if match else "MISMATCH"
print(f"\nExpected: {expected}")
print(f"Result: {status}")
if not match:
sys.exit(2)
if __name__ == "__main__":
main() Reading in 64KB chunks with the walrus operator (:=) keeps memory usage flat regardless of file size. You can verify a 4GB ISO image with the same memory footprint as a 4KB config file. Both hash algorithms update incrementally via the hashlib digest interface, so each chunk feeds into both digests in a single pass through the file.
MD5 is included here for compatibility with older software that still publishes MD5 checksums, but SHA-256 is what you should rely on for actual integrity verification. MD5 has been cryptographically broken since 2004, when Xiaoyun Wang and colleagues demonstrated practical collision attacks. The CMU Software Engineering Institute considers MD5 "cryptographically broken and unsuitable for further use," and NIST recommends the SHA-2 family (including SHA-256) for all applications requiring collision resistance. No collision attack has ever succeeded against full SHA-256.
Extend this tool to accept a .sha256sums file (the format produced by the Linux sha256sum utility) and bulk-verify an entire directory. This is useful for validating software package downloads, forensic disk images, and build artifacts before deployment.
The port scanner and hash verifier both answer point-in-time questions. What is open right now? Does this file match right now? But security is not a snapshot. The next tool introduces the time dimension: not what is happening, but what has already happened, buried in log data that most teams generate in massive quantities but rarely interrogate systematically.
Tool 3: Log Analyzer
Log files are where attacks leave traces. Parsing them manually is impractical at any meaningful scale. This log analyzer reads standard Apache/Nginx combined access logs, identifies suspicious patterns such as unusually high request rates from a single IP or requests for paths associated with common exploit attempts, and outputs a summary report.
import re
import sys
from collections import Counter, defaultdict
from pathlib import Path
from datetime import datetime
# Combined log format pattern
LOG_PATTERN = re.compile(
r'(?P<ip>\S+) \S+ \S+ \[(?P<time>[^\]]+)\] '
r'"(?P<method>\S+) (?P<path>\S+) \S+" '
r'(?P<status>\d{3}) (?P<size>\S+)'
)
# Paths that commonly appear in exploit scans and probes
SUSPICIOUS_PATHS = [
r'\.\./', r'/etc/passwd', r'/etc/shadow',
r'\.php\?', r'wp-login', r'xmlrpc\.php',
r'\.env', r'\.git/', r'cmd\.exe', r'/shell',
r'union.*select', r'eval\(', r'base64_decode'
]
SUSPICIOUS_RE = re.compile('|'.join(SUSPICIOUS_PATHS), re.IGNORECASE)
RATE_THRESHOLD = 100 # Flag any IP with more than this many requests
def parse_log(filepath: Path) -> list[dict]:
entries = []
with open(filepath, "r", encoding="utf-8", errors="replace") as f:
for line in f:
match = LOG_PATTERN.match(line.strip())
if match:
entries.append(match.groupdict())
return entries
def analyze(entries: list[dict]) -> dict:
ip_counts = Counter(e["ip"] for e in entries)
status_counts = Counter(e["status"] for e in entries)
suspicious_hits = defaultdict(list)
for entry in entries:
if SUSPICIOUS_RE.search(entry["path"]):
suspicious_hits[entry["ip"]].append(entry["path"])
high_rate_ips = {ip: count for ip, count in ip_counts.items()
if count >= RATE_THRESHOLD}
return {
"total_requests": len(entries),
"unique_ips": len(ip_counts),
"top_ips": ip_counts.most_common(10),
"status_counts": dict(status_counts),
"high_rate_ips": high_rate_ips,
"suspicious_hits": dict(suspicious_hits),
}
def print_report(results: dict) -> None:
print("\n=== Log Analysis Report ===")
print(f"Total requests: {results['total_requests']:,}")
print(f"Unique IPs: {results['unique_ips']:,}")
print("\n-- Top 10 IPs by Request Count --")
for ip, count in results["top_ips"]:
print(f" {ip:20s} {count:6,} requests")
print("\n-- HTTP Status Code Distribution --")
for status in sorted(results["status_counts"]):
print(f" {status} {results['status_counts'][status]:,}")
if results["high_rate_ips"]:
print(f"\n-- High-Rate IPs (>= {RATE_THRESHOLD} requests) --")
for ip, count in sorted(results["high_rate_ips"].items(),
key=lambda x: x[1], reverse=True):
print(f" {ip:20s} {count:,} requests [REVIEW]")
if results["suspicious_hits"]:
print("\n-- Suspicious Path Activity --")
for ip, paths in results["suspicious_hits"].items():
unique_paths = sorted(set(paths))
print(f" {ip} ({len(paths)} hits)")
for path in unique_paths[:5]:
print(f" {path}")
if len(unique_paths) > 5:
print(f" ... and {len(unique_paths) - 5} more")
if __name__ == "__main__":
if len(sys.argv) != 2:
print("Usage: python log_analyzer.py <access_log_file>")
sys.exit(1)
logfile = Path(sys.argv[1])
if not logfile.exists():
print(f"Error: Log file not found: {logfile}")
sys.exit(1)
print(f"Analyzing {logfile} ...")
entries = parse_log(logfile)
results = analyze(entries)
print_report(results)The suspicious path list covers patterns you will see in automated scanners probing for directory traversal vulnerabilities, exposed credentials files, common WordPress attack targets, and basic SQL injection or code execution attempts. Extend it with patterns relevant to the technologies in your environment: if you run Tomcat, add /manager/html; if you run Kubernetes dashboards, add /api/v1 probes.
The defaultdict(list) structure for suspicious hits lets you see not just which IPs triggered alerts, but exactly which paths they were requesting. That path detail is often what distinguishes a misconfigured legitimate crawler from an active attack.
Pattern detection is signal extraction from noise
A web server log is a firehose of data where 99% of entries are routine. The log analyzer's job is not to read every line -- it is to surface the statistical anomalies (an IP hitting 10x the normal rate) and the semantic anomalies (a request path containing ../../etc/passwd) that indicate something worth investigating. The approach is the same one SIEMs use at enterprise scale, just distilled to its core logic.
So far, every tool operates on data that already exists: open ports right now, file hashes on disk, log entries already written. The final tool introduces real-time observation -- watching traffic as it moves across the wire. This is the difference between reading a crime scene report and watching the surveillance footage live. It fills the gap between what logs recorded and what is happening in the moments before a log line gets written.
Tool 4: Network Packet Inspector
The previous three tools work entirely with files and sockets. This final tool drops to the network level using Scapy, a Python library that can both craft and capture packets. The inspector captures live traffic, filters it, and extracts basic connection metadata. This is useful for rapid triage when you suspect unusual outbound connections from a host.
# Requires Scapy: pip install scapy
# Must be run with elevated privileges (sudo on Linux/macOS, Administrator on Windows)
from scapy.all import sniff, IP, TCP, UDP
from collections import defaultdict
import signal
import sys
connection_log = defaultdict(int)
packet_count = 0
def handle_packet(packet):
global packet_count
packet_count += 1
if IP not in packet:
return
src = packet[IP].src
dst = packet[IP].dst
proto = "TCP" if TCP in packet else ("UDP" if UDP in packet else "OTHER")
if TCP in packet:
dport = packet[TCP].dport
flags = packet[TCP].flags
key = f"{src} -> {dst}:{dport} [{proto}] flags={flags}"
elif UDP in packet:
dport = packet[UDP].dport
key = f"{src} -> {dst}:{dport} [{proto}]"
else:
key = f"{src} -> {dst} [{proto}]"
connection_log[key] += 1
def print_summary(sig=None, frame=None):
print(f"\n\n=== Capture Summary ({packet_count} packets) ===")
sorted_connections = sorted(connection_log.items(),
key=lambda x: x[1], reverse=True)
for conn, count in sorted_connections[:25]:
print(f" {count:5d}x {conn}")
sys.exit(0)
if __name__ == "__main__":
print("Starting packet capture... Press Ctrl+C to stop and view summary.")
print("(Run as root/Administrator)\n")
signal.signal(signal.SIGINT, print_summary)
# Capture only IP traffic; adjust filter for your needs
# Examples: "tcp port 443", "host 192.168.1.1", "not port 22"
sniff(filter="ip", prn=handle_packet, store=False)The store=False argument to sniff tells Scapy not to accumulate packets in memory (see the Scapy usage documentation). Without this, capturing on a busy network interface for even a few minutes can exhaust available RAM. Processing each packet through the callback and discarding it immediately keeps memory usage near-constant regardless of capture duration.
The BPF filter string passed to the filter parameter uses the same syntax as tcpdump, so you can narrow capture to specific hosts, ports, or protocols at the kernel level before packets even reach your Python code. This dramatically reduces CPU usage on busy interfaces and keeps the output focused on what you care about.
Scapy on Windows requires Npcap to be installed for packet capture capabilities. Npcap is a Windows-only library; macOS and Linux ship with native libpcap support, so no additional packet capture driver is needed on those platforms. On Linux, running the script with sudo is sufficient. On macOS, you may need to grant terminal applications network access in System Settings under Privacy & Security, and running with sudo is typically required for raw socket operations.
You now have four tools that each produce useful output on their own. But individually, they are still manual instruments. The next three sections are about turning scripts into infrastructure: making their output machine-readable, their operations observable, and their behavior predictable under hostile conditions. This is the difference between writing code and building a system.
Structured Output: JSON Export for SIEM Integration
Every tool above prints results to the terminal. That works fine when you are sitting in front of a screen, but security automation becomes far more valuable when tool output feeds directly into other systems: a SIEM like Splunk or Elastic, a ticketing system, a Slack webhook, or a downstream script that correlates findings across tools. JSON is the format that makes this possible. It is parseable by virtually everything, preserves data types, and requires no custom delimiter logic on the receiving end.
The pattern for adding JSON output is straightforward. Take the dictionary your analysis function already returns and serialize it with json.dumps. Here is a reusable export function that works with any of the tools in this article:
import json
from datetime import datetime
from pathlib import Path
def export_json(results: dict, tool_name: str, output_dir: str = ".") -> Path:
"""Write results to a timestamped JSON file and return the path."""
timestamp = datetime.now().strftime("%Y%m%d_%H%M%S")
filename = f"{tool_name}_{timestamp}.json"
output_path = Path(output_dir) / filename
envelope = {
"tool": tool_name,
"timestamp": datetime.now().isoformat(),
"version": "1.0",
"results": results,
}
with open(output_path, "w", encoding="utf-8") as f:
json.dump(envelope, f, indent=2, default=str)
return output_pathThe default=str argument handles types that are not natively JSON-serializable, like datetime objects or Path instances, by converting them to strings instead of raising a TypeError. The envelope structure wraps every export with the tool name, a timestamp, and a version field. That metadata matters when you are ingesting output from multiple tools into a single pipeline: you can filter, sort, and correlate by tool and time without parsing filenames.
For the log analyzer specifically, the Counter.most_common results need minor adaptation because JSON does not have a tuple type. Convert them to a list of objects before export:
# Adapt the log analyzer results for clean JSON output
def prepare_log_results_for_export(results: dict) -> dict:
"""Convert Counter tuples and other non-JSON-friendly types."""
export = dict(results)
export["top_ips"] = [
{"ip": ip, "count": count}
for ip, count in results["top_ips"]
]
export["suspicious_hits"] = {
ip: sorted(set(paths))
for ip, paths in results["suspicious_hits"].items()
}
return exportThis is the kind of detail that separates a script you run once from a tool you rely on. When Splunk or Elastic ingests a JSON document where top_ips is an array of objects with named fields, you can immediately build dashboards, write correlation rules, and set threshold-based alerts without any log parsing configuration on the SIEM side.
If you are sending output to a SIEM that expects one event per line (which is common with Splunk HTTP Event Collector and Elastic Filebeat), skip the indent parameter and write each result as a single-line JSON object. This format is called NDJSON (Newline Delimited JSON) and is the standard for high-volume log ingestion pipelines.
Adding Real Logging to Your Tools
Every tool in this article uses print() for output. That is fine for interactive use, but it creates a real problem the moment you want to run these tools unattended, on a schedule, or as part of a larger automation pipeline. print() gives you no severity levels, no timestamps, no ability to route messages to a file while keeping errors on-screen, and no way to silence verbose output without editing code. Python's built-in logging module solves all of these problems with zero additional dependencies.
Here is the pattern for converting any of these tools from print() to proper logging:
import logging
# Create a module-level logger named after the script
logger = logging.getLogger(__name__)
def configure_logging(verbose: bool = False, logfile: str | None = None):
"""Set up logging with console and optional file output."""
level = logging.DEBUG if verbose else logging.INFO
formatter = logging.Formatter(
"%(asctime)s %(levelname)-8s %(message)s",
datefmt="%Y-%m-%d %H:%M:%S"
)
# Console handler: always present
console = logging.StreamHandler()
console.setLevel(level)
console.setFormatter(formatter)
logger.addHandler(console)
# File handler: added only when a logfile path is provided
if logfile:
file_handler = logging.FileHandler(logfile, encoding="utf-8")
file_handler.setLevel(logging.DEBUG) # Capture everything to file
file_handler.setFormatter(formatter)
logger.addHandler(file_handler)
logger.setLevel(logging.DEBUG)With this in place, replace print() calls throughout your tools with the appropriate log level. Use logger.info() for normal operational messages like scan progress, logger.warning() for conditions that deserve attention but are not failures (like a high-rate IP that might be legitimate), logger.error() for problems that prevent a specific operation from completing, and logger.debug() for the verbose detail that is useful during development but noisy in production.
The practical difference is significant. With print(), a cron job running your port scanner at 2 AM produces output that goes nowhere unless you remembered to redirect stdout. With logging, you get timestamped records in a persistent file, you can filter by severity when reviewing results, and you can add a RotatingFileHandler to prevent log files from consuming disk space over weeks of automated runs:
from logging.handlers import RotatingFileHandler
# Rotate after 5 MB, keep 3 backups
rotating = RotatingFileHandler(
"scanner.log", maxBytes=5_000_000, backupCount=3, encoding="utf-8"
)
rotating.setFormatter(formatter)
logger.addHandler(rotating)One additional point that matters for security tools specifically: never log sensitive data. If your tool processes credentials, API keys, or personal information during its operation, make sure those values do not end up in log output. This sounds obvious, but it is remarkably easy to forget when you are debugging with logger.debug(f"Request: {request}") and the request object happens to contain an authorization header.
Your tools are systems, and systems need observability
There is an irony worth sitting with: you are building tools to monitor systems, but those tools are themselves systems that need monitoring. A port scanner that silently fails on a network timeout, a log analyzer that crashes on a malformed line at 3 AM -- these are the same class of problems your tools are designed to find in other software. Logging and structured output are how you apply the same discipline to your own code that your code applies to everything else.
Hardening Your Tools Against Misuse and Failure
A security tool that fails unpredictably or accepts malicious input without validation is a liability, not an asset. The tools in this article are intentionally simple, but before you deploy them in any environment beyond a personal lab, there are several questions you should ask and answer in code.
What happens when input is hostile?
The port scanner accepts a target IP or hostname as a constant in the script. If you refactor it to accept command-line arguments (which you should, using argparse), validate that the input is a legitimate IP address or resolvable hostname before passing it to socket.connect_ex. Python's ipaddress module handles validation cleanly:
import ipaddress
def validate_target(target: str) -> str:
"""Validate and return a target IP or hostname."""
try:
# Check if it is a valid IP address (v4 or v6)
addr = ipaddress.ip_address(target)
if addr.is_private and not addr.is_loopback:
logger.info("Target %s is a private address", target)
return str(addr)
except ValueError:
pass
# Not a raw IP; try to resolve as a hostname
try:
resolved = socket.getaddrinfo(target, None)
if resolved:
return target
except socket.gaierror:
pass
raise ValueError(f"Cannot validate or resolve target: {target}")This function does two things the original script does not. First, it explicitly validates the input instead of letting socket.connect_ex fail silently or unpredictably with a malformed value. Second, it supports IPv6 addresses through the ipaddress module, which the original scanner ignores entirely. If your network uses IPv6 (and increasingly, it does), a tool that only handles IPv4 has a blind spot in your coverage.
What happens when things go wrong at scale?
The log analyzer loads every parsed entry into a list in memory before analysis. On a server that generates several gigabytes of access logs per day, this approach will eventually exhaust available RAM. A streaming approach processes each line as it is read, updates counters incrementally, and discards the raw entry immediately:
def analyze_streaming(filepath: Path) -> dict:
"""Analyze a log file without loading all entries into memory."""
ip_counts = Counter()
status_counts = Counter()
suspicious_hits = defaultdict(list)
total = 0
with open(filepath, "r", encoding="utf-8", errors="replace") as f:
for line in f:
match = LOG_PATTERN.match(line.strip())
if not match:
continue
entry = match.groupdict()
total += 1
ip_counts[entry["ip"]] += 1
status_counts[entry["status"]] += 1
if SUSPICIOUS_RE.search(entry["path"]):
suspicious_hits[entry["ip"]].append(entry["path"])
high_rate_ips = {
ip: count for ip, count in ip_counts.items()
if count >= RATE_THRESHOLD
}
return {
"total_requests": total,
"unique_ips": len(ip_counts),
"top_ips": ip_counts.most_common(10),
"status_counts": dict(status_counts),
"high_rate_ips": high_rate_ips,
"suspicious_hits": dict(suspicious_hits),
}This version produces identical output to the original but never holds more than one line of the log file in memory at a time. The Counter and defaultdict objects grow proportionally to the number of unique IPs and paths, not the total number of log lines, which makes this approach viable for files measured in gigabytes.
What about the tools' own network footprint?
The port scanner with 100 concurrent threads and a 0.5-second timeout will generate a burst of TCP SYN packets that is visible to any intrusion detection system on the network. If you are scanning your own production infrastructure, that burst can trigger automated blocking rules that cut off legitimate access from the machine running your scanner. Two practical mitigations: reduce the thread pool size for production scans (25-50 workers is usually sufficient), and add a short random delay between connection attempts to spread the traffic pattern over time. Neither change requires restructuring the code:
import random
import time
def scan_port_throttled(host: str, port: int) -> int | None:
"""Scan a single port with a small random delay to reduce burst traffic."""
time.sleep(random.uniform(0.01, 0.05))
return scan_port(host, port)This adds between 10 and 50 milliseconds of jitter per connection attempt. With 50 workers, that is enough to smooth the traffic pattern without meaningfully extending total scan time on a typical range. The tradeoff is worth it: a scan that takes 15 seconds instead of 8 seconds but does not trigger your own IDS alerts is far more useful in practice.
What leaks out of your own tool output?
When the log analyzer flags suspicious IPs or the port scanner enumerates open services, that output becomes a target itself. A JSON report listing every open port on your infrastructure is a reconnaissance map. If that file is written to a shared directory, committed to a repository, or sent over an unencrypted channel, you have done an attacker's work for them. Treat your tool output with the same classification level as the systems it describes.
At the code level, this means two things. First, restrict file permissions on output at creation time rather than relying on directory-level defaults. Second, sanitize any data that might contain credentials or tokens before it reaches a report. The log analyzer's raw entries could include authorization headers, session tokens in query strings, or API keys in URL paths. A sanitization pass before export prevents your security tool from becoming a credential harvesting mechanism:
import os
import re
SENSITIVE_PATTERNS = re.compile(
r'(api[_-]?key|token|auth|password|secret|bearer)[=:\s]+\S+',
re.IGNORECASE
)
def sanitize_entry(path: str) -> str:
"""Redact sensitive values from a log path before including in reports."""
return SENSITIVE_PATTERNS.sub('[REDACTED]', path)
def write_secure_output(filepath: Path, data: str) -> None:
"""Write output with restricted file permissions (owner read/write only)."""
fd = os.open(str(filepath), os.O_WRONLY | os.O_CREAT | os.O_TRUNC, 0o600)
with os.fdopen(fd, 'w', encoding='utf-8') as f:
f.write(data)The os.open call with 0o600 sets permissions atomically at file creation, avoiding the window between creating a world-readable file and then calling chmod. The sanitization regex catches common patterns where credentials appear in URLs and query strings, redacting them before any data reaches disk or a downstream pipeline. In production environments where your tools feed a SIEM, this sanitization layer prevents sensitive values from being indexed and searchable by anyone with dashboard access.
What about race conditions in concurrent operations?
The port scanner appends results to a shared open_ports list from multiple threads simultaneously. In CPython, the Global Interpreter Lock (GIL) makes list.append() an atomic operation, which prevents data corruption on the list object itself. However, this guarantee is an implementation detail of CPython's GIL, not a language specification. With PEP 703 introducing free-threaded Python builds (available experimentally since Python 3.13), relying on the GIL for thread safety is increasingly fragile. Beyond that, there is a subtler problem: if you later extend the scanner to update a shared dictionary (for example, mapping ports to banner-grab results), concurrent writes to the same key can silently overwrite data even under the GIL. The concurrent.futures pattern used in the port scanner avoids this because each Future returns an isolated value, but the moment you move beyond simple return values into shared mutable state, you need explicit thread safety:
import threading
class ThreadSafeResults:
"""Accumulate scan results safely across threads."""
def __init__(self):
self._lock = threading.Lock()
self._data: dict[int, dict] = {}
def add(self, port: int, details: dict) -> None:
with self._lock:
self._data[port] = details
def snapshot(self) -> dict[int, dict]:
with self._lock:
return dict(self._data)This pattern matters when you extend beyond the basic tools here. A common next step is adding service banner grabbing after detecting an open port: the scanner connects, reads a few bytes of the response, and records the service version string. That operation involves writing structured data to a shared dictionary from dozens of threads, and without a lock the results are unpredictable. The snapshot method returns a copy so that the reporting function can iterate without holding the lock and blocking active scan threads.
How do you limit what your tools can do to the host?
The packet inspector requires root privileges because raw socket access is a kernel-level operation. Running the entire tool as root means a bug in your packet parsing code (or a malicious packet that triggers unexpected behavior in Scapy) executes with full system privileges. The standard mitigation is privilege separation: acquire the capabilities you need at startup, then drop to an unprivileged user before processing any untrusted data:
import os
import pwd
def drop_privileges(target_user: str = "nobody") -> None:
"""Drop root privileges after acquiring raw socket capabilities."""
if os.getuid() != 0:
return # Already unprivileged
pw = pwd.getpwnam(target_user)
os.setgroups([])
os.setgid(pw.pw_gid)
os.setuid(pw.pw_uid)
# Verify the drop succeeded
if os.getuid() == 0:
raise RuntimeError("Failed to drop root privileges")Call this function after sniff opens its capture socket but before any packets are processed through your callback. In practice, Scapy's sniff acquires the raw socket during initialization, so you can use the started_callback parameter to trigger the privilege drop at the right moment. The same principle applies if you later build tools that need to bind to privileged ports (below 1024) or read protected log files: acquire access first, then operate at the minimum privilege level the task requires. This limits the blast radius of any vulnerability in your own code.
Throttling and jitter are courtesies to your own infrastructure, not evasion techniques. If you are conducting authorized penetration tests where stealth is a requirement, you need purpose-built tools like Nmap's timing templates or custom Scapy scripts with fine-grained control over packet timing and TCP flag behavior. The tools in this article are designed for asset management and defensive automation, not adversarial simulation.
Key Takeaways
- Python's standard library covers the basics: The socket, hashlib, re, and pathlib modules handle port scanning, hash verification, and log analysis without installing anything. Reserve third-party packages like Scapy for capabilities that genuinely require them.
- Concurrency makes network tools practical: Threading via
concurrent.futuresturns a sequential port scan that would take minutes into one that completes in seconds. Understand the difference between I/O-bound tasks (where threads help) and CPU-bound tasks (where multiprocessing helps) to choose the right approach. - Memory management matters at scale: Read large files in chunks, use
store=Falsein Scapy captures, stream log entries instead of loading entire files into lists, and test your tools against production-sized data before deploying them. Tools that work in a lab can silently fail in production if they exhaust memory. - Customize for your environment: The suspicious path list in the log analyzer and the BPF filter in the packet inspector are the first things you should adapt. Generic tools give you a starting point; effective tools reflect the specific technologies and threat patterns in your environment.
- Structured output unlocks automation: JSON export transforms a standalone script into a pipeline component. When your tools produce machine-readable output, they can feed SIEMs, trigger alerts, populate dashboards, and correlate findings across tools without manual intervention.
- Use logging, not print: Python's
loggingmodule gives you severity levels, timestamps, file rotation, and the ability to route different types of output to different destinations. Every tool you plan to run unattended or on a schedule should use proper logging from the start. - Validate inputs and plan for failure: Security tools that accept untrusted input need input validation. Tools that run against production data need to handle scale gracefully. Tools that generate network traffic need to account for their own footprint. Hardening your tools is part of building them.
- Combine tools into pipelines: These tools are most powerful when chained together. A port scan identifies a new service, the hash verifier confirms the binary running on that port has not been tampered with, the log analyzer looks for reconnaissance activity, and the packet inspector provides real-time visibility into traffic the service generates. Security automation compounds.
Every tool in this article follows the same arc: observe, analyze, report. The port scanner observes which ports respond. The hash verifier observes whether a file matches expectations. The log analyzer observes behavioral patterns. The packet inspector observes live traffic. In each case, the code's job is to take raw data, apply a question to it, and produce an answer structured enough for a human or machine to act on. That is what security automation is at its core -- and Python happens to be an exceptionally efficient language for expressing it.
The tools in this article are intentionally self-contained so you can run and modify each one immediately. But the sections on JSON export, logging, and tool hardening are where scripts stop being experiments and start becoming infrastructure. From here, the natural next steps are building a simple CLI with argparse that wraps these functions behind consistent flags, writing unit tests against known-good inputs so you can refactor with confidence, and packaging the tools into a single installable module you can deploy across machines. Security automation is a discipline you build incrementally, one tool at a time, and Python makes that iteration genuinely fast.