Security Tools

Regular Expression Tester for Security Patterns

Test and validate regular expressions for security-related patterns such as input validation, XSS, SQLi, and more.

intermediate5-10 minutesRuns in your browser

Interactive workspace

Inputs stay on your device — nothing is sent to our servers unless you choose to share.

Client-side only

Flags

Match dotted-decimal IPv4 addresses.

Highlighted matches

Failed login from 203.0.113.45 at 10.0.0.1

2 matches found

/\b(?:(?:25[0-5]|2[0-4]\d|[01]?\d?\d)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d?\d)\b/g

203.0.113.4510.0.0.1
Test patterns before deploying in production parsers — catastrophic backtracking can impact performance on large inputs.

Documentation

How to use this tool, practical use cases, and technical notes.

The Regex Tester is designed for speed — you can load a pattern, test it against a string, and copy matches in under 60 seconds. Here is a complete walkthrough of every feature.

Step 1 — Select a Built-In Security Pattern (or Write Your Own)

When the tool loads, it defaults to the IPv4 Address pattern with a sample test string pre-populated. To switch patterns, click any of the five pattern buttons:

Button

Loads Pattern For

Default Test String

IPv4 address

Dotted-decimal IPv4

Failed login from 203.0.113.45 at 10.0.0.1

Email address

RFC email format

Sample string with email addresses

HTTP(S) URL

Full HTTP/HTTPS URLs

Sample string with URLs

CVE identifier

CVE-YEAR-NNNN format

Sample string with CVE IDs

JWT token

Base64url JWT format

Sample string with a JWT

To write a custom regex, click into the Regular expression field and type or paste your pattern directly. The tool evaluates it live — no submit button required.

Step 2 — Configure Regex Flags

Flags modify how your regex engine interprets the pattern. The tool exposes all five standard JavaScript regex flags:

Flag

Symbol

What It Does

When to Use in Security Contexts

global

g

Find all matches, not just the first

Always on for log parsing — you need every IP/CVE/URL in a line

ignore case

i

Case-insensitive matching

Matching HTTP methods (GET, get, Get); normalizing user agent strings

multiline

m

^ and $ match line start/end, not string start/end

Parsing multi-line log blocks; matching per-line in a log file

dotall

s

. matches newline characters

Matching patterns that span multiple lines (multi-line HTTP requests)

unicode

u

Full Unicode matching

Parsing logs containing non-ASCII characters; internationalized email addresses

Recommended flag combinations for common security tasks:

Task

Recommended Flags

Extract all IPs from a log file

g

Parse URLs case-insensitively

g, i

Match CVEs across multi-line SIEM output

g, m

Detect JWTs in multi-line HTTP request dumps

g, s

Validate internationalized email addresses

g, u

Step 3 — Enter Your Test String

Paste the text you want to match against into the Test string field. This can be:

  • A single log line: Failed login from 203.0.113.45 at 10.0.0.1

  • Multiple log lines (use multiline flag m)

  • A raw HTTP request or response

  • A SIEM alert payload

  • A block of application output

  • A threat intelligence report excerpt

The tool evaluates your regex against the test string in real time as you type — no need to click a button.

Step 4 — Read the Highlighted Matches Output

The Highlighted matches section renders your test string with all matched substrings wrapped in highlight markup (shown as ==match== in the interface). This makes it immediately obvious:

  • What matched — highlighted in the output

  • What did NOT match — plain text in the output

  • Over-matching — if too many things are highlighted, your pattern is too broad

  • Under-matching — if expected matches are not highlighted, refine your pattern

The match count is displayed below the pattern description (e.g., 2 matches found).

Step 5 — Copy Pattern or Matches

Two copy buttons are available:

Button

What It Copies

Where to Use It

Copy pattern

The full regex with flags in /pattern/flags format

Paste directly into Splunk SPL, Sigma rules, Python re module, or JavaScript code

Copy matches

The list of matched strings (one per line)

Paste into an IoC list, investigation notes, or ticket

The /pattern/flags format copied by Copy pattern is universally recognized:

/\b(?:(?:25[0-5]|2[0-4]\d|[01]?\d?\d)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d?\d)\b/g

This format works directly in JavaScript, and the pattern portion is immediately usable in Python's re module, Elastic Query DSL, and most SIEM rule syntaxes.

Step 6 — Iterate and Refine

Regex development for security use cases is iterative. A productive workflow looks like this:

1. Start with built-in pattern → understand baseline behavior

  1. Paste real log data from your environment → observe matches

  2. Identify false positives (things that matched but shouldn't)

  3. Identify false negatives (things that should have matched but didn't)

  4. Refine the pattern → re-test until precision is acceptable

  5. Test performance against a large/complex string before deploying

  6. Copy the final pattern → deploy to SIEM/WAF/code

Common Regex Mistakes in Security Contexts

Mistake

Example

Problem

Fix

No word boundary

\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}

Matches partial strings inside longer numbers

Add \b anchors

Invalid octet ranges

\d{1,3} per octet

Matches 999.999.999.999

Use the validated octet pattern

Missing global flag

/pattern/ without g

Only returns first match in a log file

Add g flag

Greedy quantifiers on large input

. in complex patterns

Catastrophic backtracking on long strings

Use lazy .? or atomic groups

No case normalization

Case-sensitive URL matching

Misses HTTP://, Http://

Add i flag or normalize before matching

Anchoring to string instead of line

^ without m flag

Pattern only matches start of entire input

Add m flag for multi-line logs