LIVE NEWSROOM · --:-- · May 15, 2026
A LIBRARY FOR SECURITY RESEARCHERS

TOOLS  /  IOC EXTRACTOR

IOC Extractor

Paste any text (incident report, paste-bin dump, threat-intel article, email). We extract IPs, domains, URLs, hashes, CVEs, emails, BTC/ETH addresses, registry keys, and file paths. Defanging is decoded automatically.

    What it does

    Threat-intel reports embed indicators of compromise (IOCs) in prose. Pulling them out manually wastes hours. Our extractor uses 12 specialized regex patterns to pull every IP, domain, URL, hash (MD5/SHA-1/SHA-256), CVE ID, email, Bitcoin/Ethereum address, Windows registry key, and Unix/Windows file path from any text. We also handle defanging — hxxp:// becomes http://, [.] becomes . — so you can paste reports without manual cleanup.

    How to use it

    1. Paste any text — threat-intel report, paste-bin dump, forum post, email body, or log file.
    2. Click "Extract IOCs".
    3. Results group by type: IPv4, domains, URLs, CVEs, hashes by algorithm, BTC, ETH, registry keys, file paths.
    4. Copy any group to clipboard for ingestion into your SIEM or MISP.
    5. Cross-reference suspicious IOCs against our Hash Reputation, URL Checker, or IP Reputation tools.

    Common use cases

    Ingesting community threat-intel Convert a Bleeping Computer breach article into a structured IOC list for your detection pipeline in under 30 seconds.
    Forensics report parsing Pull IOCs out of analyst write-ups stored as PDFs or markdown for inclusion in case files.
    Phishing-email analysis Paste the full email body and headers to extract sender IPs, URLs, and embedded crypto-wallet addresses.
    Honeypot log mining Bulk-process your honeypot logs to extract unique attacker IPs, payloads, and URLs.

    Frequently asked questions

    What is defanging? +
    Defanging makes IOCs unclickable: hxxp:// instead of http://, evil[.]com instead of evil.com, [at] instead of @. We auto-decode all common defanging patterns before extracting.
    Does this catch obfuscated indicators? +
    Standard obfuscation (defanging, simple substitutions, separators) yes. Base64-encoded IOCs no — first decode them with our Encoder/Decoder tool, then paste here.
    Are private IPs filtered out? +
    They’re reported as-is — we don’t filter. Use the results in context (e.g. private IPs may indicate internal lateral movement).
    What’s the input size limit? +
    500 KB of text. Sufficient for full threat reports or several log files.
    Can I get the IOCs in CSV or STIX format? +
    Not yet. Output is JSON via the REST API and rendered HTML on the web UI. Export formats are on the roadmap.

    Related tools

    Related coverage on Ciphers Security

    Free for everyone, no signup required. Tool runs at /tools/ioc-extractor/ — bookmark or share.

    Scroll to Top