IOC extractor
The first thing you do with a suspicious log or a phishing email is pull out the artefacts worth pivoting on. Paste the raw text; this lifts out the indicators, de-duplicates them, and hands them back ready to drop into a ticket or a threat feed — without anything leaving your browser.
How it works
The extractor runs a set of tuned regular expressions for each indicator class — IPv4 and IPv6 addresses, domains, URLs, email addresses, MD5/SHA-1/SHA-256 hashes, and CVE IDs — and de-duplicates case-insensitively. Hashes are matched longest-first and removed as they go, so a 64-character SHA-256 is never mis-reported as a string of shorter MD5s. Domains that are really file names (loader.exe, report.pdf) are filtered out by their extension, and RFC 1918 private addresses are flagged so you can tell an internal host from a routable one.
Threat intel is usually shared defanged — evil[.]com, hxxps://… — so a careless click can’t detonate it. The tool refangs the input first (so it reads defanged and clean text alike) and can defang everything on the way out, ready to paste back into a ticket or email safely. It’s the kind of quick triage step I reached for constantly doing SOC work; here it’s a single paste, and the text never touches a server.