There are several free tools that a security engineer may use as part of their arsenal but the following three are quite essential.

1) Burp Suite by Portswigger

The community edition of the Burp Suite is a free tool that provides a comprehensive solution for web application security checks. Their proxy feature is quite useful during penetration testing to manually inspect and fiddle with web traffic. It also includes a scanner that provides automated vulnerability scans for web applications.

2) Security Monkey by Netflix

Security Monkey is a tool that monitors your AWS and GCP accounts for policy changes and alerts on insecure configurations. Managing the configurations and policies on cloud provides like AWS is a complex task and requires constant monitoring. Security Monkey helps automate the process and has good integration with developer workflow tools like JIRA to create tickets and bug reports.

3) ModSecurity by Trustwave

ModSecurity is a web application firewall (WAF), it enables real time logging, monitoring and access control. It also comes with a powerful rules language and API to enable you to define and implement custom protections.