Open-source tools utilized by threat actors exploiting Ivanti's Cloud Services Appliance (CSA) vulnerabilities are analyzed, focusing on the suo5 HTTP proxy tool. The article highlights its functionalities, detection strategies, and the forensic investigations conducted by Synacktiv's CSIRT to understand the attack methods and improve security measures against such threats.