Cactus
Safe software we recommend
Trustworthy security tools, favouring free and open-source options - to protect your passwords, messages, browsing, and devices.
Build a Windows install script
Tick the apps you want below and we'll generate one script that installs them all with winget, Microsoft's built-in package manager. We host nothing - winget downloads each app from its official source.
No apps selected yet.
Tick "Add to install script" on the apps you want, then copy the script from here.Windows 10 and 11 include winget. Paste the script into PowerShell or Terminal and press Enter. Always review a script before you run it.
Password managers
Generate and store a unique password for every account so one breach can never cascade.
Bitwarden
Full-featured, audited, and works on every platform. The free tier covers most people.
Visit Bitwarden
KeePassXC
An offline vault stored as a file you control - no cloud account required.
Visit KeePassXC
1Password
Polished and family-friendly. Paid only, but widely trusted and easy for non-technical users.
Visit 1Password
Proton Pass
From the makers of Proton Mail - open-source, with built-in 2FA and email aliases. Solid free tier.
Visit Proton PassTwo-factor authentication apps
Generate the 6-digit codes that add a second lock to your accounts. Safer than text-message codes.
Ente Auth
Cross-platform, open-source, with encrypted backups so you do not lose your codes.
Visit Ente Auth
Aegis Authenticator
A well-regarded open-source authenticator for Android.
Android only.
Visit Aegis Authenticator
2FAS
Open-source authenticator for iPhone and Android, with optional encrypted backup.
Visit 2FASWeb browsers
Your browser is your front door to the web - these put privacy and security first.
Mozilla Firefox
Independent, open-source, with strong built-in tracking protection.
Visit Mozilla Firefox
Brave
Chromium-based with ads and trackers blocked by default.
Optional crypto features can be turned off.
Visit Brave
Mullvad Browser
A privacy-hardened browser from Mullvad and the Tor Project - strong anti-fingerprinting, without needing the Tor network.
Desktop only.
Visit Mullvad Browser
Tor Browser
Routes your traffic through the Tor network for anonymity. Slower, but the strongest option for sensitive browsing.
Visit Tor Browser
LibreWolf
A Firefox fork hardened for privacy out of the box, with no telemetry - maximum privacy with minimal setup.
Visit LibreWolfAd and tracker blockers
Blocking ads and trackers also blocks a common path for malware ("malvertising").
uBlock Origin
The gold-standard, lightweight, open-source content blocker for Firefox and Chromium browsers.
Visit uBlock OriginPrivacy Badger
A set-and-forget tracker blocker from the EFF that learns to block hidden trackers as you browse. Pairs well with uBlock Origin.
Visit Privacy BadgerPrivate messaging
End-to-end encrypted messaging so only you and the recipient can read your conversations.
Signal
The benchmark for private messaging - open-source, nonprofit, and end-to-end encrypted by default.
Visit Signal
SimpleX Chat
A newer open-source messenger with no user IDs or phone numbers at all - the most metadata-private option.
Newer, with a smaller community than Signal.
Visit SimpleX ChatPrivate email
Encrypted email providers that do not mine your inbox for advertising.
Proton Mail
Encrypted email with a usable free tier.
Based in Switzerland (strong privacy laws).
Visit Proton Mail
Tuta
Encrypted email and calendar, open-source, with a free tier.
Based in Germany.
Visit Tuta
Mailbox.org
A privacy-respecting paid email and office suite, popular in Europe.
Based in Germany.
Visit Mailbox.orgAnti-malware
Protection against viruses and malware. You likely already have a capable option built in.
Microsoft Defender
Built into Windows 10 and 11 and genuinely good - just keep real-time protection on.
Already included with Windows; no install needed.
Visit Microsoft Defender
Malwarebytes
A trusted second-opinion scanner; the free version cleans up infections on demand.
Visit MalwarebytesVPNs
A VPN hides your IP from websites and your traffic from your local network - but it is not anonymity, and you are trusting the provider. Choose a reputable no-logs service and avoid "free" VPNs that monetize your data.
Proton VPN
Open-source apps and the only reputable VPN with a genuinely unlimited free tier.
Based in Switzerland; independently audited.
Visit Proton VPN
Mullvad
Privacy-first, flat-rate, and you can sign up without an email address.
Visit Mullvad
IVPN
Privacy-focused, open-source apps, independently audited, with no-logs and anonymous sign-up.
Visit IVPNEncrypted cloud storage
Cloud storage where files are encrypted before they leave your device, so the provider cannot read them.
Proton Drive
End-to-end encrypted cloud storage from Proton, with a free tier.
Based in Switzerland.
Visit Proton Drive
Ente Photos
End-to-end encrypted photo backup - a private alternative to Google Photos or iCloud.
Visit Ente PhotosFile and disk encryption
Lock files, folders, or whole drives so they are unreadable without your password - essential if a device is lost or stolen.
VeraCrypt
Create encrypted containers or encrypt entire drives. The trusted successor to TrueCrypt.
Visit VeraCrypt
Cryptomator
Encrypts your files before they sync to Dropbox, Google Drive, or any cloud.
Visit Cryptomator
BitLocker
Full-disk encryption built into Windows Pro - turn it on to protect a lost or stolen laptop.
Built into Windows Pro/Enterprise; on macOS, turn on FileVault.
Visit BitLockerSecure DNS and filtering
DNS is how your device looks up websites. A filtering resolver can block malicious and tracking domains for your whole network.
NextDNS
Cloud DNS filtering that blocks malware, trackers, and ads across all your devices. Generous free tier.
Visit NextDNS
Quad9
A free public DNS resolver that blocks known malicious domains. Just change one setting.
Nonprofit, based in Switzerland.
Visit Quad9
Cloudflare 1.1.1.1 for Families
A fast, free public DNS that can block malware (1.1.1.2) or malware plus adult content (1.1.1.3). Simple to set up.
Visit Cloudflare 1.1.1.1 for FamiliesBackup
Regular backups are the single best defence against ransomware and lost or broken devices. Keep at least one copy offline or in the cloud.
Duplicati
Open-source, encrypted, scheduled backups to almost any cloud or drive.
Visit Duplicati
Veeam Agent (Free)
Free, reliable full-image backup for Windows - restore your whole system after a failure.
Visit Veeam Agent (Free)Private search engines
Search engines that don't profile you or build an advertising dossier from your queries.
DuckDuckGo
The best-known private search engine - no tracking and no search-history profile.
Visit DuckDuckGo
Brave Search
An independent search index (not a Bing or Google reskin) with a privacy focus.
Visit Brave Search
Startpage
Google results without the tracking, proxied through Startpage.
Based in the Netherlands.
Visit StartpageEmail aliases
Hide your real email behind unique aliases you can disable anytime - great against spam and after data breaches.
SimpleLogin
Open-source email aliasing from Proton. Create a unique address for every site and shut off spam at the source.
Visit SimpleLogin
addy.io
Open-source anonymous email forwarding with a generous free tier (formerly AnonAddy).
Visit addy.ioEncrypted notes
Note apps that encrypt your content so only you can read it, synced across your devices.
Standard Notes
End-to-end encrypted notes, independently audited, with a long-term focus on durability.
Visit Standard Notes
Joplin
Open-source notes and to-dos with optional end-to-end encryption and your choice of sync.
Visit Joplin