A Very Opinionated List of Security Tools
Because I go on camera and inadvertently create the impression that I know what I'm doing, I often get asked what the "best" tool for a given situation is. This question often comes from a place of wanting to invest time in learning a new tool, and folks want to make sure they're making a wise decision with their time.
Unfortunately, there is no "best" tool. There are only tools that work for you and don't. Everything else is just silly tribalism. People can get very loyal to brands, to operating systems, to...text editors. None of that is about technical advantages/disadvantages; it's entirely about being part of an in-group. Resist the urge to loyalty to tools. Get your work done with what works for you.
With that warning out of the way, I felt it was appropriate to put together a list of what works for me. That's all this is. I make no claims about any of these selections being better than others, much less "the best." They're the set of things I've cobbled together over years of experience and that I've become comfortable using. You may love them. You may not. Either way, I hope this list proves a valuable starting point for creating your own set of preferred security tools.
Table of Contents
- Table of Contents
- How to Read This List
- How NOT to Read This List
- My Biases
- The Lazy Version
- Base System
- Cross-Functional Tools
- WebApp Pentesting
- Threat Hunting/DFIR
- Malware Analysis/Debugging
How to Read This List
This is a list of tools I use across multiple job descriptions: web app pentesting, threat hunting, malware analysis, and more.
Each item in this list will have a link, an explanation of why I like it, some things I put up with while using it, and recommendations to configure it for best usability. Use these details as a starting point for your toolset, not a prescription. My methods and preferences will almost certainly not be yours, and that's okay! Even if you discover that you don't like these tools, this list has done its job by pointing you in a direction.
Of course, some of you hate reading, so I've provided the quick list of the tools detailed here for the impatient.
How NOT to Read This List
This is in no way an invitation to debate. If you think I'm wrong, that's fine. If you want to convince me you're right, let me stop you right there. I have no interest in debates about what tools are better. These tools work for me. If I find compelling evidence why I shouldn't use them, like if a CEO is weirdly into cryptocurrency, I'll change it up. I'm happy you have your preferences. These are mine. They don't have to be the same.
My Biases
I want to be clear about some of my biases when choosing tools right up front. Take these with you as you evaluate this list.
- Whenever possible, I choose the open source option. Yes, I mean open source.
- I prefer cross-platforms tools for when I need to work on other OSes.
- I care about the ethics of the developers (and will make changes when I learn something new).
- I will choose interoperability over aesthetics.
The Lazy Version
Base System
- Operating System: KDE Neon
- Web Browser: Vivaldi
- Terminal (Linux): Terminator
- Terminal (Windows): Windows Terminal
- Shell: Fish
- Password Manager: Bitwarden
Cross-Functional Tools
- Text Editor: Vim
- Text Editor (alternate): VSCode
- Notes: Joplin
- Screenshots: Flameshot
- Terminal Multiplexer: Tmux
WebApp Testing
- HTTP Proxy: ZAProxy
- Directory Fuzzer: Feroxbuster
- API Testing: Insomnia
- Better cURL: HTTPX
Threat Hunting/DFIR
- IoC Management: Sigma
- Incident Response: Mandiant Redline
- Deep Analysis: Jupyter Lab
Malware Analysis/Debugging
Base System
KDE Neon
Operating System:This Linux distribution is based on Ubuntu LTS, but uses the latest packages from KDE to get you the latest and greatest features of the Plasma Desktop.
Why I Like It
I've used so many Linux distributions over the years I've lost count. Yes—including Arch, both from scratch and prepackaged with the lovely (and now discontinued) Antergos. But the season of distrohopping or spending all my time and energy futzing with my OS has passed for me. I need my stuff to work with a minimum of configuration. That said, I do have some configuration I want easily available in my desktop environment. That's why the Plasma desktop is my preferred Linux DE. And for some time now, its resource usage has outperformed GNOME. It's not as lightweight as the tiling windows managers or XFCE, but it's light enough, with an attractive out-of-the-box appearance that enables you to get working quickly.
Stuff You Gotta Deal With
The package manager in KDE Neon is weird! For some reason they hate when you use apt upgrade
. Instead they have their own pkcon
tool for upgrading packages. It's fine, but I'd prefer they not mess with the standard tool.
Tips to Make It Great
Configuring your virtual desktops, keyboard shortcuts, etc. can make Plasma a joy to work with. I strongly recommend taking some time to configure these to your preferences.
Get comfy with snaps! Snaps (and Flatpak) are supported by the Discover software store, and allow easy installation of many common apps.
Vivaldi
Web Browser:Until recently, I was a steadfast Brave user. Then I learned some grodier stuff about how Brave's business model works, and the behavior of their CEO. Vivaldi fills my need for a privacy-respecting Chromium-based browser with a few extra features I really need and don't exist in plain ol' Chromium.
Why I Like It
Vivaldi is Chromium-based, which means my must-have browser extensions all work fine with it. It also has the DevTools I prefer. I'm sorry Firefox, as much as I want you to be amazing, there are parts of my computing life that require some Goog-only tools (like casting). And before someone tells me how I can accomplish all this with Firefox: I know. I've tried. It's hacky and unreliable and I decided against it.
Vivaldi is fun! It feels like old-school Opera, with unexpected bells and whistles. Some fun stuff I didn't expect:
- Tiled tabs
- A neat little sidebar for apps like Mastodon or Wikipedia
- Add effects to pages like invert colors or sepia tone
Vivaldi also has cloud-synced profiles for extensions settings, and other data. This is essential for me, as I use these profiles to sync my pentesting setup from machine to machine.
Now you might have privacy concerns about this, which is fair. But good news: the entire profile is end-to-end encrypted with a master key of your choosing.
Stuff You Gotta Deal With
Some of Vivaldi's behaviors are weird, like how it handles tab movements from window to window. That just goes against muscle memory, but it's mostly fine. Same goes with how tab opening works, or the fact that you need to specifically configure it to always prefer HTTPS in the settings.
The one actually annoying thing I've found concerns dark mode. On Linux, Vivaldi does not honor system color schemes. Yes, you can add a dark theme to Vivaldi, but websites like GitHub and Microsoft Learn which are using OS-level settings for color scheme will default to light, as will any error pages. There is a Chrome flag you can set that will enable dark mode on everything, but that can add its own complications. I haven't found a good solution for this; I'm mainly hoping Vivaldi sorts it out in an upcoming version.
Tips to Make It Great
Make. Your. Own. Theme. Vivaldi has a built-in theme editor that is simple to use, and very fun!
Also definitely take the time to create a profile and sync it for easy movement of configs from machine to machine.
Terminator
Terminal Emulator (Linux):You need a terminal emulator. The built-in one in KDE (Konsole) is just fine. But Terminator has a lot of out-of-the-box features I enjoy, and enough functionality that you don't have to resort to a terminal multiplexer if you don't want to. That plus easy configuration for color and font themes win me over.
Why I Like It
Some of my favorite features:
- Easy splitting of windows
- Broadcast mode to send the same commands to multiple panes
- Easy profiles/theme configuration
- Tabs and tiling
Stuff You Gotta Deal With
Don't forget to make terminator
your command for Ctrl+Alt+T
or whatever your favorite shortcut is!
Tips to Make It Great
Take some time to make a custom profile and save it somewhere you can move it between machines. That config lives at ~/.config/terminator/config
.
Windows Terminal
Terminal Emulator (Windows):Hardly a unique choice, but I think it's important to call out how good this piece of software really is. It makes using multiple shells (PowerShell, cmd, WSL) in combination on Windows quite pleasant. And with some hidden superpowers, it's maybe my favorite first-party tool from Redmond.
Why I Like It
Ever used PowerShell? Ever get tired of the blue window? How about the constant separate windows? Windows Terminal solves this with tabs, panes (yes, really), and handling multiple profiles for firing up shells of all kinds. It even integrates with your WSL installs (which you should absolutely be using) to put all your terminal needs in one place.
Stuff You Gotta Deal With
I think a fix for this is on the way, but for now opening Admin shells is still a bit odd for Windows Terminal.
Tips to Make It Great
Find a theme! Use it! Then customize your PowerShell experience following these steps.
Fish
Shell:Bash is Fine. Zsh is fine. But I'm a Terminal dork, and I wanted something a little more feature-filled. I happened upon Fish years ago, and have been satisfied with it ever since.
Why I Like It
#!/usr/bin/fish
# Resize images in a directory
cd images
for i in (ls *.png)
convert -resize 50% resized-$i
end
How is that for some clean syntax? Maybe it's not POSIX-compliant, but honestly that never really gets in my way. Instead, I have a much cleaner scripting language.
What's more, Fish has top-rate command completion and history, better even than zsh. It is just a much more comfortable shell to use every day.
Stuff You Gotta Deal With
Sometimes, certain programs that expect a POSIX-compliant shell will have issues in Fish. You can drop to a bash or zsh session in those cases, or wrap the program invocation in bash -c
if you really need to. It doesn't happen often, but it's worth knowing the workaround when it does.
Tips to Make It Great
Right away, install Oh My Fish to add extensions to fish, including themes and other capabilities.
I use OMF to install bobthefish, which provides Git symbology on the command line. To use it, you'll need Powerline enabled fonts, which you can get here.
BitWarden
Password Manager:Why I Like It
I was a LastPass customer for over a decade. Their recent mismanagement of their security incident convinced me they could no longer be trusted with my information. However, their failure is not an indictment of the concept of a password manager. While some feel that a local-only solution like KeePass is the only "secure" solution, I feel strongly that tools like a browser-integrated password manager are necessary as long as passwords are around to improve the overall strength and uniqueness of users' passwords.
So, Bitwarden. They've been around for some time, offering both a hosted and self-hosted version of an open source password management solutions.
Stuff You Gotta Deal With
One thing I liked about LastPass was some of the custom data types they had out of the box, like bank accounts and SSH keys. Bitwarden lacks these, but can store the data nevertheless.
Tips to Make It Great
I'm still learning about Bitwarden, but I think my biggest recommendation for making it great is to use it. Like actually use it. Make it part of your everyday use of your browser. Use the mobile app. Tell your friends. Make weak passwords a thing of the past.
Cross-Functional Tools
Vim
Text Editor:Use it or don't. It's not a religion and nobody's making you.
Why I Like It
Let's get this out of the way. Vim is hard to use. Anyone who says otherwise is being pretentious and trying to appear superior. It's not the kind of text editor anyone starts with. It requires practice to gain proficiency. Many commands are unintuitive, or intuitive for a different generation.
This is starting to read like why I don't like it. And yet, I love Vim. It took me a while to get comfortable with it, but after forcing myself to do so, Vim became kind of a superpower for a lot of use cases. Processing text files with Vim makes many processes faster or cleaner. It can be a hex editor. It can filter values. Oh, and of course the regular expression support.
Stuff You Gotta Deal With
Well, it's Vim. You have to learn it. I think it's worth the time investment for the powerful tool you gain access to.
Tips to Make It Great
Vim has a vast plugin ecosystem. VimAwesome is where you'll find them. There are multiple Vim plugin managers, but I've settled on Vim-Plug.
My .vimrc
is pretty specialized, but you can certainly see it as a starting point.
Visual Studio Code
Text Editor for Programming:I've used all the Electron-based text editors—all the way back to Adobe Brackets. Atom was cool, until it wasn't. Sublime Text is its own thing, and so is Notepad++. Kate on KDE is pretty neat as well, but for a single solution across platforms and languages, Visual Studio Code can't be beat.
Why I Like It
Extensions. That's why. The extension ecosystem gives VSCode the benefits of an IDE without the bloat of an IDE.
I write Rust, I get the benefits of rust-analyzer
. I write Hashicorp stuff, I have HCL syntax support.
Heck, I can even load Jupyter Notebooks if I want. I can even open the editor directly from Windows Subsystem for Linux and interact with my projects on that filesystem.
Stuff You Gotta Deal With
Memory bloat, I guess? I've honestly never had a real issue with VSCode. It's a very solid bit of kit.
Tips to Make It Great
Extensions make the difference. But one super important setting that isn't an extension is bracket pair colorization. This makes brackets and parentheses pairs use separate colors to make them easier to visually match. Not sure why this isn't a default, but it's suuuuper handy.
Obsidian
Notes:You might think it's weird for someone who wrote a whole dang C2 framework for a different notes app to be recommending this one. I promise there are good reasons.
Why I Like It
I'm a text guy. Not everyone is. I know some folks take notes primarily by diagram. Me? I'm too hyperverbal for that. I like lists. I like paragraphs. I like headings. Put simply, I like Markdown, and anything that gets in the way of me writing Markdown for my notes is not a value-add. That's why Notion, as nifty as it is for several use cases, is not my preference for note-taking.
So why Obsidian? Why not another Markdown-based solution like Joplin, especially since that one is fully open-source?
For a long time, Joplin was the recommended note app in this section. And then I ran into some cases where its limitations started to bug me. In particular, a rather unhelpful task list format, as well as a poor mobile version, led me to re-examine Obsidian. When I did, I found I was much happier with it this time around. I use Obsidian Sync for end-to-end encryption, but I also like that I could use a Git repo.
But perhaps the most important difference between Obsidian and Joplin for me is that Obsidian uses flat Markdown files that you could read with anything else. Joplin creates this bizarre proprietary tree of diffs, almost like an ad-hoc Git repository itself. It's impossible to inspect the Joplin folder for the single note file you want. This presents a form of lock-in that made me increasingly uncomfortable. Obsidian removed that issue. My notes are simple folders of Markdown now, so if I choose to move on from Obsidian, the transfer process is painless.
By syncing encrypted notes with Obsidian Sync, I get the convenience of my notes everywhere with the security of end-to-end encryption. That makes Obsidian suited even for red team engagements, as described in Responsible Red Teaming.
Obsidian also has a rich publishing option that allows you to make a website directly from your Vault! I'm very excited at this prospect for knowledgebase creation.
Stuff You Gotta Deal With
The mobile app is just the desktop app with responsive scaling. That's both bad news and good news. The bad news is sometimes wonky interface choices. The good news, and this really blew me away, is that all the desktop extensions work on mobile! This was critical for me, as I rely on some of those extensions for my workflow, both at my desk and out in the world.
Tips to Make It Great
My list of must-have plugins for Obsidian:
Dracula Theme Official
: Naturally.Kanban
: The Trello-like task management is how I run my life.Excalidraw
: The built-in Canvas tool is really neat, but come on! Who doesn't love those whimsical diagrams?Ozan's Image in Editor Plugin
: Allows image previews in Markdown mode. This should be native.Copy Document as HTML
: Does what it says. Copy the document or selection as HTML. Super useful for transferring to things like Google Docs.
Flameshot
Screenshots:Plasma Desktop has its own built-in screenshot tool which works well enough. As does Windows, of course. I lived and died by Win+Shift+S
before I discovered Flameshot. Now, I use it basically exclusively for my screengrabbing needs.
Why I Like It
It's cross-platform, for one thing. With Flameshot, I can standardize my screenshotting process across any OS I'm working on. Easy access to annotation/redaction tools makes it an even bigger win.
Stuff You Gotta Deal With
The only, ONLY thing that's a tad frustrating with Flameshot is that on Linux, you'll need to manually bind a key sequence to the command flameshot gui
for keyboard access. Clicking on the taskbar icon works too, but I'm a keyboard guy.
I have Meta+Shift+F mapped to flameshot gui
on my Linux machines.
Tips to Make It Great
In addition to setting keyboard shortcuts, setting your font and color preferences can really personalize your screenshots. Other than that, this thing is pretty much perfect out-of-the-box. Install it everywhere.
TMux
Terminal Multiplexer:If you're on a Linux system, you likely already have TMux installed, or it's readily available. TMux is another one of these tools that require some practice to use well, but I think it's quitel worth the time investment for the productivity wins.
Why I Like It
Even though the terminal emulator I prefer (see above) can split panes, TMux can do so both locally and on a remote system, and does so much more fluidly than Terminator does. Once the keyboard shortcuts are muscle memory, it's trivial to fire up new tabs and panes to move about the environment, set up ad-hoc dashboards, or monitor systems/output.
Stuff You Gotta Deal With
Like Vim, TMux takes practice. The good news is, there are a ton of resources to learn. TryHackMe even has a room on TMux! I recommend going through it.
Tips to Make It Great
TMux Plugin Manager grants you access to some very useful extensions. My tmux.conf gives you some idea of what's possible, including saving sessions and making copy/paste easier.
WebApp Pentesting
ZAProxy
HTTP Proxy:No surprise here. I wrote an entire course on how to use ZAP for professional webapp testing. But I actually do love it. The ZAP team have created a powerful open source tool for web app testing that competes favorably with commercial alternatives. I started using ZAP when Burp Pro was not available through my employer, and I got comfortable enough with it to actually prefer ZAP.
Why I Like It
This is going to bewilder some of you, but I find the ZAP user interface much easier to navigate than Burp's. I won't go so far as to call it intuitive—just too many knobs and levers for that—but I never get lost.
The Fuzzer in particular works extremely well, and getting comfortable with that aspect of the app will make your testing much more effective. The same is true for the authentication handling and context configurations, which allow you to specify what technologies you're attacking for a given context. Basically, I appreciate how configurable ZAP is for the specific test I'm doing.
And when I'm done, the reporting is invaluable. ZAP's built-in reports are not the only necessary artifact of a proper webapp test, but they provide important details such as specific parameters for a discovered vulnerability, as well as CWE listings to guide report recipients in remediation.
Stuff You Gotta Deal With
Like any Java application, ZAP could be more performant. Sometimes when handling large responses, ZAP freaks out and I've had to kill the window. Luckily sessions can be saved so recovery isn't too bad. I don't recommend running ZAP on anything less than 8GB of RAM.
ZAP will raise a ton of what I consider "junk" alerts by default. You'll want to configure some Global Alert Filters to adjust severity for your own situation.
Tips to Make It Great
ZAP's plugins really are something else. Here are a few I love:
- FuzzDB Lists
- Python Scripting
- Community Scripts
- Wappalyzer
- SAML
- JSON view
Python scripting is its own rabbit hole, but even the built-in Zest scripting can easily extend ZAP's abilities for you. Explore the script templates and community scripts to get a sense of what's possible.
I'd also recommend checking out the Automation features. These allow you to create scan templates and sets of tasks to be run for each new context. Takes a lot of the setup out of your testing process.
Feroxbuster
Directory Brute Forcer:There are tons of great options in this space. Dirbuster, GoBuster, and more. None of them have stayed slotted into my workflow like Feroxbuster. Sure, I'm inclined to like Ferox because it's written in Rust, but it's the featureset that keeps it on the lineup.
Why I Like It
Feroxbuster is fast. Like crazy fast. Sometimes too fast (see below). But it gets the job done, and does so with a host of configuration options that work perfectly for my methodology.
Stuff You Gotta Deal With
Feroxbuster can be so fast that it can bring down less resilient servers. It's important to use the command-line options to run it at the correct speed and concurrency rate for your target. I tend to use -L 15 -t 15
for my default throttle, but that's 225 concurrent requests. If you need to slow it down, remember that your concurrent requests will be:
connection limit (-L
) x threads (-t
)
So 2 threads with a connection limit of 10 results in 20 concurrent requests.
It's really worth your time to read the surprisingly extensive documentation.
Tips for Making It Great
As above, read the docs. But here are a couple of options I love:
--burp-replay
: Automatically sends any hits on your configured status codes (-s
) to a proxy listening on port 8080.--auto-bail
stops scanning directories with a ton of errors
Insomnia
API Testing:ZAP is great when there's a browser-based interface to test. That isn't always the case. Sometimes you're testing an API directly. I used to use Postman for this, but in keeping with my attempt to use open source tools whenever possible, Insomnia has filled the niche quite nicely.
Why I Like It
Insomnia handles the gnarly parts of API testing fairly seamlessly, like OAuth token acquisition (assuming you have that information). It also makes adding additional headers simple. But perhaps the most important feature of Insomnia is that it does in fact accept Postman collection files as imports. This allows me to work with dev teams who use Postman as a matter of course.
Stuff You Gotta Deal With
Honestly, I'm still getting used to how Insomnia handles certain things, like separate spaces for different projects. In Postman, these were "Collections." Insomnia uses folders. Still works fine, just a different workflow.
Tips for Making It Great
Insomnia also has an extensive plugin ecosystem. I would check out some of the OAuth ones, and perhaps the cloud integrations, if that's your bailiwick.
HTTPX
cURL Alternative:This is not by any means required, but I bet you'll love it once you've tried it. cURL
is great for quick testing of URLs, but it leaves a lot to be desired for the modern user. HTTPX picks up the slack, adding useful command line options to interact with URLs. Output is colorized as well.
Why I Like It
Imagine if cURL
were written with webapp testing in mind. That's pretty much it. The command line options say it all.
Stuff You Gotta Deal With
It's Python, so the normal installation weirdness applies. I strongly recommend pipx.
Tips to Make It Great
Well, sometimes you'll get JSON output, so jq should almost certainly be in the toolbelt.
Threat Hunting/DFIR
Sigma
IoC Management:This one might be a bit obvious, but I'm including it anyway. If you're not using Sigma to generate/save threat detection rules, you should. Sigma means you're not locked into one vendor's weirdo format, and can easily convert rules from one platform to another.
Why I Like It
In a word: sigmac
. The Sigma Converter tool makes it simple to convert rules from a generic Sigma format to specific SIEM queries like Splunk, Azure, and more. It'll even export out to STIX for sharing. IoC Sharing is caring.
Stuff You Gotta Deal With
Not all the converted queries will work perfectly with your setup, depending on field/index names, so you may wish to create a custom conversion config.
Tips to Make It Great
What I just said.
Trellix Redline
Incident Response Triage:You've just gotten access to a compromised machine. You don't have your normal EDR. You don't have other logs. What are you going to do to get data quickly?
That's what Redline is designed for. Redline allows you to create customized collectors to gather exactly what data you want from an endpoint—including memory snapshots if you wish.
Why I Like It
Redline is essentially a self-contained version of Trellix's (née FireEye) endpoint protection software. It uses the same tools to gather evidence, and then displays the evidence in a table-based interface. The collection is simple enough, and the display, while basic, beats the pants off Event Viewer.
Stuff You Gotta Deal With
The timeframe management just straight-up sucks. You can't paste timestamps in any format, and it's a hassle to move back and forth between views because those time filters may or may not be saved. Also, Windows Event logs can be collected, but aren't always parsed correctly, so searching by column of data is hit-and-miss.
Tips to Make It Great
I got nothing. I wish Trellix would update this thing, or any of the other tools they offer. I'm not holding my breath.
Jupyter
Deep Analysis:Well this one comes as no surprise either. I wrote 2 courses on this subject. But really, I can't stress how often I fire up Jupyter notebooks to perform in-depth investigations on collected data. Once you have this capability, it's a superpower.
Why I Like It
I like Python. I like data science. I like Python for data science. But seriously, at the risk of repeating what I've written elsewhere, Jupyter allows the creation of reusable analysis tools that are self-documenting when written correctly.
Stuff You Gotta Deal With
Learning Python isn't exactly a simple prerequisite. There are other kernels besides Python, but none with the analytical toolset so ready to hand.
Tips to Make It Great
Use Jupyter Widgets. Seriously. And learn a data viz library, whether it's Plotly, Seaborn, Bokeh, or d3. Use it well to explain your data.
Malware Analysis/Debugging
Cutter
Disassembler:Sometimes, you gotta look at the bytes. Cutter makes this easy across platforms! And by integrating the Ghidra decompiler, you can even get C-like syntax for your review.
Why I Like It
It's full-featured, easy to use, and gets right to the point of analyzing binaries. What sets it apart from some others is some extra love for exotic binaries. I haven't found anything that parses Rust or Go-compiled samples as well as Cutter.
Stuff You Gotta Deal With
It claims to have a debugger built-in, but I've never seen it work. I really want it to. If the debugger worked, that'd be basically the only tool I'd need for most analysis tasks.
Tips to Make It Great
Cutter is fine as-is, but if you use it in conjunction with its CLI debugger counterpart (see below), you're really cooking' with gas.
Rizin
Debugger:All the cool features (and more!) of radare2 without grody developer behavior. Rizin is a fork of Radare, and this new dev team creates both Rizin and Cutter. I've been using both for some time and quite enjoy the experience—usually.
Why I Like It
It's not GDB.
But seriously folks, I find the command structure much more intuitive for Rizin than the GNU debugger.
The debugging process is quite distinct from GDB's, requiring the use of rz-run scripts or one-liners to load input/arguments.
Stuff You Gotta Deal With
The command line syntax is unique, and takes some getting used to. I recommend going through the Rizin Book to learn the ins and outs.
Also, unfortunately the Python integration is not nearly as complete as it is for GDB. Scripted debugging is possible, but rather unwieldy. Which is why...
Visual mode is also...a lot. Again, it's about practice. But like a lot of other things on this list, the time invested in learning it is rewarded with remarkable capability.
Tips to Make It Great
...Rizin is best paired with an IPython3 REPL in a nearby terminal window. I like doing this with Tmux. IPython (installed with Jupyter) along with pwntools is the perfect companion to Rizin. It's a lot of terminal, but that's how I like to work.
PEStudio
Malware Disposition:This is the first install I make on a malware analysis machine. When investigating a malware sample, I like to work smarter, not harder. My malware analysis is not academic; it's in service of incident response or threat hunting. I don't need to know how every single subroutine works. I do need to quickly disposition a sample for evilness. PEStudio does this by checking for suspicious imports, strings, and VirusTotal results.
Why I Like It
Does what it says on the tin.
Stuff You Gotta Deal With
It can be a little slow, so plan to get a sandwich or do some other analysis while it runs.
Tips to Make It Great
None, really. Consider this a first step in analysis, not a complete picture.
PE-bear
First Look:When you're ready to go a little deeper, PE-bear is a nice middleground between full-on static analysis and the quick disposition provided by PEStudio. With this, you get a hex view, stats, imports, and other information about the executable.
Why I Like It
It's lightweight, cross-platform, and informative at a glance.
One killer feature is the comparison of 2 binaries side-by-side.
Stuff You Gotta Deal With
Nothing frustrating I've found so far, as long as you're using the tool for its purpose.
Tips to Make It Great
None so far. It's pretty great as-is!