Security Tools

IOC Extractor

Advanced search, encryption analysis, malware analysis, incident response, system analysis, or file recovery tool for ioc extractor and related operations.

advanced15-20 minutesRuns in your browser

Interactive workspace

Inputs stay on your device — nothing is sent to our servers unless you choose to share.

Client-side only

Paste text to extract IOCs

0 categories · 8 types enabled

Live extraction

Paste threat intel to begin

Extracts IPs, domains, hashes, URLs, emails, and CVEs automatically.

Try a sample

Deduplicated results. Validate IOCs before blocking — false positives are common with hashes and domains in prose.

Documentation

How to use this tool, practical use cases, and technical notes.

The IOC Extractor is designed for speed. From paste to extracted results takes under 5 seconds on any volume of text. Here is the complete walkthrough.

Step 1 — Open the Tool Workspace

Navigate to the tool page and click "Open tool" to reveal the interactive workspace. The interface has two primary panels:

  • Left panel: IOC type toggles and the source text input area

  • Right panel: Live extraction results, organized by IOC category

No login, no account, no file upload required.

Step 2 — Select Your IOC Types

At the top of the workspace, 8 IOC type toggles are available. By default, all 8 are enabled. Toggle off any types you don't need to filter your results:

Toggle

When to Disable It

IPv4

When your text is a domain-only intel report and IP noise would clutter results

Domain

When analyzing auth logs where all domains are internal and legitimate

Email

When processing network logs with no email context

MD5

When you only want SHA-256 hashes (MD5 is deprecated for security use)

SHA-1

When focusing on modern malware using SHA-256 identification

SHA-256

Rarely — SHA-256 is the gold standard hash IOC

URL

When extracting only network-layer IOCs (IPs and domains) for firewall ingestion

CVE

When processing non-vulnerability-related threat intelligence

Step 3 — Paste Your Source Text

Click into the "Paste threat intel to begin" source text area and paste any raw text. The tool accepts:

Input Type

Example Source

Plain text

Threat intel blog post copied from browser

Email body

Phishing email content (headers + body)

Log snippets

Auth logs, proxy logs, firewall logs, syslog

JSON/XML output

Malware sandbox detonation reports

PDF text (copied)

Vendor threat report, CISA advisory

CSV/TSV data

Exported SIEM alert data

HTML source

Threat actor profile pages, OSINT pages

Mixed format

Any combination of the above

There is no file size limit enforced by the interface — paste as much text as needed. Performance remains fast for typical intelligence document sizes (up to ~100KB of text).

Step 4 — Review Live Extraction Results

As soon as text is pasted, the right panel populates with extracted IOCs in real time, organized under each enabled IOC type category. Results are automatically deduplicated — if the same IP address appears 12 times in a log file, it appears once in the results.

Reading your results:

Result Indicator

Meaning

IOC count per category

Number of unique IOCs found of that type

"0 categories · 8 types enabled" (initial)

No text pasted yet

Results appear instantly

Live regex extraction firing on input

Deduplicated count

Lower than raw occurrences — duplicates removed

Step 5 — Try the Sample Inputs

Not sure what to paste first? Three built-in samples let you explore the tool's capabilities immediately:

Sample

What It Contains

IOC Types You'll See

Phishing email

Simulated malicious email with sender, links, and attachment references

Emails, URLs, domains, hashes

Auth log snippet

Simulated server authentication log with brute-force activity

IPv4 addresses, email addresses

Threat intel feed

Simulated structured threat report with mixed IOC types

All 8 types

Click any sample to instantly populate the source text area and see the extractor in action.

Step 6 — Validate Before Acting

The tool displays a critical reminder: "Validate IOCs before blocking — false positives are common with hashes and domains in prose."

This is essential operational guidance. Before feeding extracted IOCs into blocklists or SIEM rules:

IOC Type

Common False Positive Scenario

Validation Step

IPv4

RFC 1918 private IPs, loopback addresses, example IPs (192.0.2.x)

Filter RFC 1918 and documentation ranges

Domain

Legitimate CDN domains, your own infrastructure domains

Cross-reference against allowlist

Email

Security researcher email addresses quoted in reports

Check sender reputation

MD5

Empty file hash, common utility file hashes

Look up on VirusTotal or MalwareBazaar

SHA-256

Clean file hashes included for comparison in reports

Verify verdict on file reputation platforms

URL

Defanged URLs (hxxp://) that weren't caught, or example URLs

Check defanging and URL reputation

CVE

CVEs mentioned as "patched" or "not applicable to our stack"

Cross-reference with your asset inventory

Step 7 — Export and Operationalize

Copy extracted IOCs from the results panel and feed them into your security stack:

Destination

IOC Types

Purpose

Firewall / NGF block list

IPv4, domain

Block C2 communication

DNS sinkhole (Pi-hole, BIND RPZ)

Domain

Redirect malicious DNS queries

Web proxy category override

URL, domain

Block malicious web traffic

EDR / AV exclusion/block list

MD5, SHA-1, SHA-256

Block malicious file execution

SIEM correlation rule

All types

Alert on IOC matches in logs

Threat intelligence platform (MISP, OpenCTI)

All types

Enrich and share with community

Vulnerability scanner / patch priority

CVE

Prioritize patching against active exploitation

Email gateway block list

Email, domain

Block phishing senders