ZeroTrace OSINT
Defang & Refang
Defang and refang IOCs in multiple formats — CyberChef-style, MISP, STIX. Safe IOC sharing for chat, email, and reports.
The defang tool transforms indicators-of-compromise (IPs, URLs, domains, emails, hashes) into "broken" forms that text-rendering systems will not auto-link. The refang tool reverses the transformation.
Why defang
A malicious URL pasted into a chat client almost always becomes a clickable link. A teammate's hover preview can trigger telemetry. A misclick can fire the URL. Defanging breaks the auto-linking and signals to the reader "this is hostile content; treat with care."
Defanging is the universal convention in security work. Reports, blog posts, threat-intelligence shares, and chat discussions all use defanged IOCs.
What you can defang
| Input type | Defanged form (CyberChef style) |
|---|---|
| IP | 1.2.3.4 → 1[.]2[.]3[.]4 |
| URL with scheme | http://evil.com/x → hxxp://evil[.]com/x |
| HTTPS URL | https://evil.com → hxxps://evil[.]com |
| Domain | evil.com → evil[.]com |
bad@evil.com → bad[at]evil[.]com | |
| Hash | 5d41402abc4b2a76b9719d911017c592 (unchanged — hashes do not auto-link) |
The brackets-around-the-dot pattern is the most common form. The hxxp substitution defangs the scheme. The [at] substitution defangs emails.
Format selector
Different tools and reporting frameworks use slightly different defang formats. The tool offers:
| Format | Style |
|---|---|
| CyberChef | [.], hxxp, [at] — the most common |
| MISP | Standard MISP defang conventions |
| STIX | STIX 2.x defang conventions |
| Custom | Your own substitutions |
Pick the format that matches your reporting framework.
Refang
Refanging is the inverse — take a defanged IOC and restore it to actionable form. Useful when you receive an IOC list from another team, defanged, and you need to feed it into a tool that needs the original.
The refanger handles:
- All the defang formats listed above.
- Mixed formats in the same input (one paste containing some CyberChef-defanged and some MISP-defanged IOCs).
- Common typo variants of defanged forms.
Refang an IOC only when you are about to use it in a controlled environment. Refanging restores the original — pasting it into a chat or email will re-trigger the auto-linking that defanging was meant to prevent.
Per-IOC type breakdown
The defang tool reports counts of each IOC type in the input — useful for sanity-checking that your defanged output covers what you expected.
Auto-compose with extractor
A one-click "extract first then defang" affordance composes the IOC extractor over the input first, then defangs each extracted IOC. Useful when your input is messy text rather than a clean IOC list.
Pivots
The defang tool itself does not pivot — the refanged-output entries do, via the IOC extractor's pivot menu.
Bulk defang
Bulk paste accepts arbitrarily large inputs. The output is the same input with every IOC defanged in-place — reporting-ready prose.
Sources
All defang / refang transformations run locally. No external sources are queried.