Most SMBs do not have a shortage of security policies. They have a shortage of working measures.

Somewhere there is an information security policy stating that awareness training was once conducted, and that the IT partner took care of "something with a firewall and antivirus". But when ISO 27001 or NIS2 comes up, the familiar panic suddenly sets in: logs, vulnerabilities, passwords, phishing, monitoring, suppliers, audits—everything must be addressed at once.

That is exactly where things go wrong.

Security does not have to start with a thick consultancy report or an expensive enterprise platform. You can reduce many practical risks today with good open-source tools. Not because open source is magical. Not because free is the same as simple. But because, by following the right order, you can quickly get a grip on the biggest gaps: passwords, phishing, exposed servers, logging, vulnerabilities, and network access.

The hard truth: open source saves on licensing costs, but not automatically on management costs. Some tools are up and running in an afternoon. Others only deliver value when someone seriously manages them.

That is why below is not a random list of "nice free tools", but a practical SMB order: what directly removes risk, what helps with ISO 27001/NIS2, and what you should not start naively.

1. Bitwarden or Vaultwarden

If you address one thing today, make it passwords.

Many SMBs act as if password management is a mature process. In reality, passwords are still too often stored in Excel files, browsers, shared notes, WhatsApp chats, or "just temporarily" in a project folder. Or the same password is reused across all systems.

That is not security. That is waiting for disaster to strike.

Bitwarden is an open-source password manager. Vaultwarden is a lightweight self-hosted alternative that works with the Bitwarden clients. It gives you shared vaults, strong password generation, browser extensions, mobile apps, and checks for weak or reused passwords.

Why this has immediate value

Credential abuse is one of the most common starting points for incidents. An attacker does not need to hack your firewall if they simply find a reused password.

With a password manager, you achieve three things at once:

1. Employees no longer need to remember passwords.

2. You can enforce unique, long passwords.

3. You gain control over shared accounts and access management.

The latter is important for ISO 27001. Access must be managed. Not "roughly known by IT".

When do you pay?

Bitwarden is free for individual use. For team features, shared collections, SSO, and reporting, you pay a relatively low fee per user per month. You can self-host Vaultwarden for free, but then you are responsible for updates, backups, availability, and security of the environment.

The SMB pitfall

Self-hosting sounds great, but it means putting your digital keychain on your own server. If you do not have a tight update and backup process, you turn a security solution into a new high-risk target.

Practical first step

Keep it simple: choose Bitwarden Teams or Business, turn on MFA, create shared collections per department, and migrate the most risky passwords first: admin accounts, hosting, DNS, Microsoft 365, accounting, bank integrations, and client portals.

2. CrowdSec: block the noise before it turns into work

Every server connected to the internet is scanned. Not once in a while. Constantly.

Bots scan for open ports, weak logins, known vulnerabilities, and misconfigured services. Many SMBs do not even notice this noise. They only notice when a server slows down, a login gets brute-forced, or a vulnerable service is exploited.

CrowdSec is an open-source security engine that detects malicious behavior via logs and can then actively block it. Think of it as a modern Fail2ban, but with community threat intelligence.

Why this has immediate value

CrowdSec looks at behavior. For example:

• repeated failed logins;

• brute force on SSH;

• scans on web servers;

• suspicious HTTP requests;

• attacks that have also been seen with other participants.

The strength lies in the community effect. If many other participants flag an IP address as malicious, you benefit. This blocks a large portion of automated internet noise before it impacts your systems.

When do you pay?

The engine and detection rules are free. You can pay for more extensive console features, longer retention, and premium blocklists.

The SMB pitfall

CrowdSec primarily protects what produces logs and where you connect it properly. It is not a full WAF, not a SIEM, and not a replacement for patching. A poorly maintained server remains a poorly maintained server, even with CrowdSec in front of it.

Practical first step

Install CrowdSec on internet-facing servers, link it to SSH, Nginx/Apache, or Cloudflare, and start blocking brute force and scanning. This is one of the best effort-to-impact measures on this list.

3. Pi-hole or AdGuard Home: DNS filtering for very little money

Many attacks start with a click. Not every click leads directly to malware, but often to a domain you would rather not have on your network.

Pi-hole and AdGuard Home work as network-wide DNS filters. They block ads, trackers, and known malware or phishing domains before a connection is established.

In plain English: if a laptop wants to connect to a bad domain, you block that request at the name translation level.

Why this has immediate value

DNS filtering is no magic bullet, but it is a cheap extra layer. It helps against:

• known phishing domains;

• malware command-and-control;

• tracking and unwanted ad domains;

• insight into which devices are connecting where.

For SMBs, this is interesting because of its low barrier to entry. You do not need a large security team to start. This also helps fulfill the web filtering standard clause of ISO 27001.

When do you pay?

The software is free. You only need hardware or a small VM. Think of a Raspberry Pi, mini PC, or virtual machine.

The SMB pitfall

DNS filtering works best within your own network. Outside the office, you need additional setup, for example via VPN or endpoint DNS. In addition, some applications can use hardcoded DNS or DNS-over-HTTPS, bypassing your filter.

Also important: do not create a single point of failure. If your only DNS filter goes down, your internet access might stop working.

Practical first step

Set up two instances, use reliable blocklists, log per client, and test with a small group of users first. Then add malware and phishing lists and monitor what gets blocked.

4. GoPhish: make awareness measurable instead of an annual show

Phishing training is often an annual ritual. Employees click through an e-learning module, answer a few easy questions, and everyone feels safe again.

Until the first real phishing email arrives.

GoPhish is an open-source framework for phishing simulations. You can run campaigns, design emails, use landing pages, and track who opens, clicks, or submits data.

Why this has immediate value

GoPhish makes awareness concrete. Not as a tool for blame, but as a measuring instrument.

For example, you see:

• which departments are more vulnerable;

• which types of emails work;

• whether employees report suspicious emails;

• whether click rates drop after training;

• which processes need extra protection.

This fits well with ISO 27001 A.6.3 on awareness, education, and training. But note: phishing resilience is never just about training. Real resilience comes from a combination of people, organizational, and technical controls: secure authentication, logging, monitoring, web filtering, incident management, and supplier management.

When do you pay?

GoPhish is free. You do need a server, sending domain, and proper email configuration. The time is mostly spent on campaign design, deliverability, and careful internal communication.

The SMB pitfall

Do not use GoPhish to publicly catch employees out. That creates fear, not resilience.

The question is not: "Who clicked?"
The question is: "Why did this attack work, and what technical or process control prevents damage if someone does click?"

Practical first step

Start with one simple campaign per quarter. Measure not just clicks, but reporting behavior. Train finance, HR, management, and the service desk separately, as they face different risks than general staff.

5. Lynis: quick hardening audit for Linux servers

Many servers run for years without close configuration checks. Updates lag. SSH is left open too wide. Logging is misconfigured. File permissions are slightly off. Unnecessary services are still running.

These seem minor, until an attacker exploits exactly that type of misconfiguration.

Lynis is an open-source security auditing tool for Linux/Unix systems. It performs hundreds of checks and provides concrete improvement points.

Why this has immediate value

Lynis is practical because you quickly get a baseline. No heavy process. No big dashboard. Just run it and see where your server can improve.

It looks, among other things, at:

• patch status;

• system configuration;

• logging;

• authentication;

• file permissions;

• hardening settings;

• compliance-related points of attention.

For audits, this is highly useful as you can prove improvement. For example: a hardening score starting at 62, later hitting 81. That is better than saying: "Our servers are securely configured." Proof beats assumption. Lynis can also run automated audits on a schedule, which is even better for security and provability.

When do you pay?

The open-source version is free. Lynis Enterprise offers central reporting, dashboarding, and support.

The SMB pitfall

Lynis does not fix anything automatically. It gives recommendations. Someone has to review, prioritize, and execute them. With one server, this is manageable. With twenty servers, doing it manually quickly becomes messy.

Practical first step

Run Lynis on all Linux servers, export the results, and address high-impact points first: updates, SSH hardening, logging, unnecessary services, and permissions.

6. Greenbone OpenVAS: make patch policy verifiable

Many organizations say: "We patch regularly."

Great. Prove it.

Greenbone OpenVAS Community Edition is an open-source vulnerability scanner. It scans systems and networks for known vulnerabilities and generates reports with severity scores.

Why this has immediate value

Vulnerability management is one of those subjects where SMBs are often too vague. There might be a patching routine, but no one knows exactly:

• which systems are vulnerable;

• which vulnerabilities are critical;

• which patches are missing;

• which risks have been open for months;

• whether external systems score differently from internal systems.

OpenVAS makes this visible. This supports ISO 27001 A.8.8 on the management of technical vulnerabilities and NIS2 risk management measures.

When do you pay?

The Community Edition is free. The commercial Greenbone Enterprise Feed is more current and extensive. That is what you pay for.

The SMB pitfall

A vulnerability scan is not absolute truth and offers no guarantees. Scans can be slow, generate false positives, or miss vulnerabilities. Without interpretation, you end up with a thick report that nobody reads.

That is the paper-only ISO trap in technical form: having a report and thinking you have mitigated the risk.

Practical first step

Scan your external IP addresses and critical internal servers first. Then make a simple remediation list: critical within 7 days, high within 30 days, medium in line with your patch cycle. Keep exceptions minimal and documented.

7. OPNsense: enterprise firewall without the enterprise license

A firewall is not exciting. Until you discover remote access is left open, guests and servers are on the same network, or old ports are still open "because it was once convenient".

OPNsense is an open-source firewall/router platform. It offers stateful firewalling, VPN, VLANs, IDS/IPS via Suricata, captive portal, traffic shaping, and reports.

Why this has immediate value

For SMBs, OPNsense is mostly interesting for three things:

1. Network segmentation
   Separate office, guests, servers, IoT, and management environments.

2. Secure remote access
   Use VPN instead of open RDP, loose port forwards, or "temporary" exceptions that never go away.

3. Network traffic visibility
   You get more control over what travels through your network.

When do you pay?

The software is free. You pay if you want hardware, support, or the Business Edition.

The SMB pitfall

OPNsense usually replaces your router/firewall. That makes it an infrastructure project rather than a simple tool installation. Incorrect configuration can cause downtime or create a false sense of security.

Practical first step

Do not start changing everything immediately. Map out your network first: internet connection, VLANs, servers, printers, WiFi, guest network, VPN, port forwards. Then migrate systematically and test your rollback plan.

8. Wazuh: SIEM/XDR for those who want to take logging seriously

Now we come to Wazuh.

Wazuh is an open-source platform that combines SIEM and endpoint monitoring. It collects logs, monitors endpoints, detects vulnerabilities, checks configurations, and provides compliance dashboards for ISO 27001 and PCI DSS, among others. Wazuh is a very good all-in-one platform.

Why this has value

Wazuh addresses a major gap in many SMB environments: detection and logging.

It can help with:

• log aggregation;

• file integrity monitoring;

• host-based intrusion detection;

• vulnerability detection;

• CIS benchmark checks;

• MITRE ATT&CK mapping;

• automated alerts;

• compliance reporting;

• active response.

For ISO 27001, the link to logging and monitoring is particularly relevant. Think of A.8.15 and A.8.16. Many SMBs have very little practical evidence for this. They have logs, but nobody uses them. Or they have alerts, but no follow-up.

Wazuh can improve that.

In addition, Wazuh assists with vulnerability management, configurations, and systems auditing.

When do you pay?

Self-hosted Wazuh is free with no license fees. You do pay for infrastructure: a powerful VM, storage for log retention, backups, and management. The managed cloud alternative works with subscriptions based on agents and support level.

The SMB pitfall

Wazuh is powerful, but not lightweight. You need Linux knowledge. Installation, configuration, tuning, and management require serious effort. Much of it runs through CLI. Alerts must be filtered. Use cases must be set up. False positives must be reduced.

A SIEM without follow-up is like a smoke detector without a battery. It looks nice on the ceiling, but it will not save anyone.

Practical first step

Do not use Wazuh as your first tool if your basics are still messy. Only start when password management, patching, firewalling, and logging sources are reasonably in order. Then start with a small scope: critical servers, management accounts, and vulnerability detection. Only expand once you actually follow up on alerts.

9. Suricata: network detection for traffic that endpoints miss

Not everything runs on an endpoint where you can install an agent.

Think of printers, IoT devices, network hardware, legacy systems, or servers over which you have limited control. Endpoint security often misses these. Suricata scans the network traffic directly.

Suricata is an open-source IDS/IPS engine. IDS means intrusion detection system: recognizing suspicious patterns. IPS means intrusion prevention system: actively blocking traffic.

Why this has value

Suricata can see attacks that endpoint tools miss, such as:

• lateral movement;

• suspicious protocol activity;

• scanning within the network;

• exfiltration patterns;

• traffic from devices without an agent;

• known attack signatures.

It also integrates well with OPNsense and can deliver output to Wazuh or Elastic.

When do you pay?

The engine is free. The ET Open ruleset is free. You pay for the more extensive ET Pro rules.

The SMB pitfall

Suricata without tuning quickly becomes an alarm machine. Lots of alerts, very little action. And with encrypted TLS traffic, you will not see everything.

Here too: alerts without an owner are useless.

Practical first step

Deploy Suricata mainly in combination with OPNsense. Start in detection mode, see which alerts are relevant, tune the rules, and only then carefully enable prevention for clear, low-risk blocks.

10. Keycloak: SSO and centralized access, but only if it fits

Keycloak is an open-source identity & access management platform. It offers single sign-on, MFA, user management, roles, integration with LDAP/AD, and support for standards like OIDC and SAML.

In plain terms: one central place to manage access to applications.

Why this has value

Access management is one of the messiest areas in SMBs.

Employee leaving the company?
Then twenty accounts have to be deleted.

New employee?
Then everyone creates an account somewhere.

MFA?
Sometimes yes, sometimes no.

Permissions?
"I think they need the same role as John."

Keycloak can centralize this for self-hosted or internal applications. Doing so reduces the risk of forgotten accounts, weak authentication, and messy offboarding.

When do you pay?

Keycloak itself is free. The real cost lies in hosting, setup, and implementation time. You might pay for support via commercial channels.

The SMB pitfall

Keycloak is not necessary for every SMB. If you are fully on Microsoft 365, you often already have an identity platform with Entra ID. In that case, Keycloak usually adds extra complexity and might even be unnecessary. Only use Keycloak if you know exactly what you are doing.

Mainly use Keycloak if you run multiple self-hosted applications and lack central SSO/MFA.

Practical first step

Inventory your applications first. Do you have multiple internal or self-hosted tools lacking a proper central login? Then Keycloak could be useful. If you mostly use Microsoft 365 and SaaS applications, focus on configuring Entra ID properly first.

The right order: do not start with the heaviest tool

The classic mistake is starting with the tool that sounds the most impressive.

So people buy or install a SIEM. Or an IDS. Or a vulnerability scanner. Then comes a dashboard full of alerts, nobody looks at them, and three months later the project is declared "too complex".

Security works the other way around.

First, tackle the risks that frequently lead to incidents and are easy to reduce.

Practical implementation order for SMBs

The sober conclusion: do not start with Wazuh or Suricata if your passwords are still in Excel. That is like installing CCTV while leaving the front door wide open.

What does this mean for ISO 27001 and NIS2?

Open-source tools do not automatically make you compliant. That is the paper-only ISO mistake.

A tool is not a control until you can demonstrate:

• why you are using it;

• which risk you are mitigating with it;

• who manages the tool;

• how often you perform checks;

• what you do with alerts;

• what evidence you keep;

• how improvements are followed up.

For ISO 27001, providing that evidence is crucial. Not as a bureaucratic hobby, but because an auditor wants to see that your security actually works.

Examples:

• Bitwarden supports access control and protection of authentication information.

• GoPhish supports awareness and training.

• OpenVAS supports vulnerability management.

• Wazuh supports logging, monitoring, and detection.

• OPNsense supports network segmentation and secure access.

• Lynis supports hardening and demonstrable improvement.

• Pi-hole supports web/DNS filtering as an extra layer of defense.

• CrowdSec supports protection against brute force and scanning.

• Suricata supports network detection.

• Keycloak supports centralized identity and access management.

But again: the auditor does not certify your tool stack. The auditor assesses your management and control.

The no-nonsense approach: start small, prove it, build up

The traditional consulting world often makes security too big. Months of talking first. Then writing policies. Then mapping frameworks. And somewhere at the end, someone asks: "But does this actually work?"

Turn it around.

Start with a narrow baseline that immediately reduces risk:

1. Get passwords under control
   Bitwarden or Vaultwarden. No Excel. No shared browser passwords.

2. Protect internet-facing systems
   CrowdSec, patching, firewall rules, no open management ports.

3. Limit phishing pathways
   DNS filtering, GoPhish, MFA, reporting process, email security.

4. Make vulnerabilities visible
   OpenVAS and Lynis for periodic scans and hardening.

5. Mature your network and logging
   OPNsense, Wazuh, and optionally Suricata once someone is managing the alerts.

6. Centralize identity where necessary
   Keycloak only when the landscape demands it.

This is more practical than brushing your teeth once a year just before visiting the dentist. You build security that works daily, and the audit simply becomes the moment you show what you are already doing.

Conclusion: free tools are not free, but they are smart

Open-source security tools can be incredibly valuable for SMBs. Not because they cost nothing, but because they force you to think practically.

What is the risk?
Which tool reduces that risk?
Who manages it?
What evidence does it produce?
What do we do when an alert comes in?

If you do not answer those questions, you just get more dashboards, more alerts, and a false sense of security.

If you do answer them, you can build a serious security baseline with relatively limited resources. Start with the tools that directly reduce risk. Only then build out heavier detection and compliance.

The right order is simple:

First control. Then visibility. Then mature monitoring. Not the other way around.

Disclaimer

Before using open-source tools, read the license terms of the respective tool carefully to ensure your organization is permitted to use the tooling (for free).