IOC Extractor & Defanger

Paste a threat report, phishing email, or log block. Pull out every IP, domain, URL, email, hash, and CVE, or defang the text so no indicator is clickable before you share it. Everything runs in your browser.

Text to scan

What defanging is, and why analysts extract IOCs

Defanging in one line

Defanging rewrites a malicious indicator so it is no longer a live, clickable link or address. http://evil.com becomes hxxp://evil[.]com. The meaning is preserved for a human reader, but a teammate skimming a ticket or chat cannot accidentally click through to something harmful. Refanging reverses it when you actually need to act on the indicator in a sandbox.

Why pull out the indicators

An indicator of compromise (IOC) is any observable tied to malicious activity: an IP, a domain, a URL, a sender address, a file hash, or a referenced vulnerability. Extracting them into clean, deduplicated lists is the routine first step before feeding them into a blocklist, a SIEM, or a lookup. Doing it locally matters because incident text often contains sensitive internal data you should not paste into a third-party server.

A heuristic, not a verdict

Extraction here is pattern matching. It can pick up benign strings that merely look like indicators, and it cannot tell a malicious domain from a quoted legitimate one. Treat the output as a starting list to review, not a confirmed set of threats. For any IP or domain you find, the IP Inspector and DNS Lookup are good next stops.