Paste a threat report, an alert, log lines, or an email body and pull out every indicator of compromise, categorized and deduplicated with a copy button each. It reads indicators that are already defanged, and it can defang or refang any text so links are safe to paste into a ticket.
An indicator of compromise is a small piece of observable evidence that points at malicious activity: an attacker controlled IP address, a command and control domain, a download URL, a phishing sender, a file hash, or a vulnerability identifier. A threat report or an alert is usually written for humans, so those indicators are scattered through prose and log lines. This tool reads the whole block of text, finds the indicators, groups them by type, removes duplicates, counts each group, and gives every group its own copy button so you can move them straight into a case, a watchlist, or a detection rule.
CVE-YEAR-NUMBER formAnalysts share indicators in a deactivated form so nobody clicks them by accident, so the same domain might arrive as evil[.]example, evil(.)example, or hxxps://evil[.]example. Before it extracts anything, this tool refangs the input internally, undoing hxxp, [.], (.), [at], and [://] style substitutions, so a defanged indicator is matched exactly like a live one. You do not need to clean the report by hand first.
The second function works on whole text rather than single indicators. Defanging rewrites http to hxxp, https to hxxps, :// to [://], every dot to [.], and the at sign to [at], which produces text that is safe to paste into a ticket, a chat, or an email without a live clickable link. Refanging reverses each of those substitutions to recover the working indicator when you actually need it. The output panel shows which transformations were applied and copies in one click.
Extraction runs on client side regular expressions, and they are written to favor recall, which means they aim to catch indicators rather than to be perfectly precise. You may see a benign domain, a documentation address, or a string that merely looks like a hash. Treat the output as a fast first pass that still needs a human review, not as a judgment about what is malicious. Deciding which indicators actually matter is the kind of context an AI security testing approach reasons about rather than pattern matching one string.
Incident text is some of the most sensitive material an analyst handles. It can name victim hosts, internal addresses, account identifiers, and the details of a live intrusion. Pasting any of that into a server you do not control is its own exposure. Every part of this tool, the extraction and the defang and refang, runs as JavaScript on this page, so the text you paste is never uploaded, logged, or stored. You can run a real report through it without the input ever leaving your machine. For the wider set of boundaries attackers probe, see the web security glossary and the access control writing.
Defanging rewrites an indicator so it can no longer be clicked or auto resolved when it lands in a ticket or an email, turning http into hxxp, a dot into [.], and the at sign into [at]. Refanging reverses those substitutions to recover the live indicator when you need to work with it.
Yes. The input is refanged internally before extraction, so a host written as hxxps://evil[.]example or an address written as 198[.]51[.]100[.]23 is recognized and categorized just like a live one.
It favors recall, so it is tuned to catch indicators rather than to be perfectly precise. Review the results before acting on them. The tool is a fast first pass, not a verdict on what is malicious.