diff --git a/pkgs/tools/security/regexploit/default.nix b/pkgs/tools/security/regexploit/default.nix
new file mode 100644
index 00000000000..be09c34254b
--- /dev/null
+++ b/pkgs/tools/security/regexploit/default.nix
@@ -0,0 +1,35 @@
+{ lib
+, fetchFromGitHub
+, python3
+}:
+
+python3.pkgs.buildPythonApplication rec {
+  pname = "regexploit";
+  version = "1.0.0";
+
+  disabled = python3.pythonOlder "3.8";
+
+  src = fetchFromGitHub {
+    owner = "doyensec";
+    repo = pname;
+    rev = "v${version}";
+    sha256 = "0z3fghsyw0ll36in7ihc0qi3gy7mqi6cw1mi8m8c8xb1nlwpfr0y";
+  };
+
+  propagatedBuildInputs = with python3.pkgs; [
+    pyyaml
+  ];
+
+  checkInputs = with python3.pkgs; [
+    pytestCheckHook
+  ];
+
+  pythonImportsCheck = [ "regexploit" ];
+
+  meta = with lib; {
+    description = "Tool to find regular expressions which are vulnerable to ReDoS";
+    homepage = "https://github.com/doyensec/regexploit";
+    license = with licenses; [ asl20 ];
+    maintainers = with maintainers; [ fab ];
+  };
+}
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index a3e7c50b3cc..611b1a53d5b 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -12930,6 +12930,8 @@ with pkgs;
 
   red = callPackage ../development/interpreters/red { };
 
+  regexploit = callPackage ../tools/security/regexploit { };
+
   regextester = callPackage ../applications/misc/regextester { };
 
   regina = callPackage ../development/interpreters/regina { };