diff --git a/tools.md b/tools.md
new file mode 100644
index 0000000..30b6c28
--- /dev/null
+++ b/tools.md
@@ -0,0 +1,46 @@
+# Tools & Kits 🧰
+
+> A curated kit for red/blue/purple work. Opinionated, lightweight, and actually maintained.
+
+## Recon & Discovery
+- **Nmap** — nmap.org  
+- **Wireshark** — wireshark.org  
+- **Shodan** — shodan.io  
+- **Censys** — censys.io  
+- **Subfinder** — github.com/projectdiscovery/subfinder
+
+## Web App Testing
+- **Burp Suite** — ports­wigger.net/burp  
+- **OWASP ZAP** — owasp.org/www-project-zap/  
+- **SecLists** — github.com/danielmiessler/SecLists  
+- **fuzzdb** — github.com/fuzzdb-project/fuzzdb
+
+## Exploitation Frameworks
+- **Metasploit** — metasploit.com  
+- **BeEF** — beefproject.com
+
+## Reverse Engineering / Binary
+- **radare2** — github.com/radareorg/radare2  
+- **Ghidra** — ghidra-sre.org  
+- **BinNavi** — github.com/google/binnavi
+
+## MITM / Phishing
+- **BetterCAP** — bettercap.org  
+- **mitmproxy** — mitmproxy.org  
+- **Evilginx** — github.com/kgretzky/evilginx
+
+## Privilege Escalation Helpers
+- **LinEnum** — github.com/rebootuser/LinEnum  
+- **linux-exploit-suggester** — github.com/mzet-/linux-exploit-suggester  
+- **BeRoot** — github.com/AlessandroZ/BeRoot
+
+## Malware & Forensics
+- **malice** — github.com/maliceio/malice  
+- **linux-explorer** — github.com/intezer/linux-explorer
+
+## Wordlists & CTI
+- **SecLists** — (again, because you’ll forget)  
+- **Exploit-DB** — exploit-db.com  
+- **Rapid7 DB** — rapid7.com/db
+
+> Got a better tool? Add it under the right section, alphabetically. If it’s niche, add a one-liner why it’s worth anyone’s time.