CyberChef: GCHQ's data-mangling swiss army knife, runs in your browser

Decode this base64. Parse this JWT. Decompress this gzip. Expand this URL-encoded blob that someone pasted into the ticket with no context. Verify the certificate chain on this PEM file. Every operator has lived this moment, usually twice a week, usually right when they wanted to go to lunch. The default move is a throwaway Python script, or a chain of command-line one-liners that you’ll write again from scratch next Tuesday because you didn’t save the first one.

CyberChef is the tool that ends that cycle. It’s a browser page with 300+ operations you can chain together into a recipe, save the recipe as a URL, and hand to the next person who hits the same problem. GCHQ built it for their own analysts, open-sourced it in 2017 under Apache 2.0, and it has been the quiet backbone of incident response and reverse-engineering work ever since.

What it actually does

Drag operations from a sidebar into the recipe pane. Paste data into the input. The output updates live. The operations cover most of what an operator needs to do to data that arrived in the wrong shape:

• Encoding and decoding. Base64 in every dialect, URL encoding, hex, binary, quoted-printable, the long tail of legacy text encodings.
• Hashing and checksums. MD5 through SHA-3, HMAC variants, CRC, the things you reach for when verifying a download or comparing two artifacts.
• Parsing. JWT, X.509 certificates, ASN.1, protobuf, gzip headers, PE headers, the structured-data formats that arrive as opaque blobs in incident tickets.
• Crypto. AES, DES, RC4, RSA, Vigenère, the symmetric and asymmetric primitives. Useful for known-key decrypts, less useful as a learning aid because the defaults will let you do crypto that looks correct and isn’t.
• Data manipulation. Regex, diff, JSON beautify, XML format, character frequency analysis. The stuff you used to bounce between three tabs to get done.

Operations chain. The output of one is the input of the next. The recipe pane is the procedure, and the URL bar carries it. That is the part of CyberChef that turns it from a useful page into a useful tool for a team: a working recipe becomes a link, the link becomes documentation, the documentation becomes a workflow that survives the person who wrote it.

Why it matters that it runs client-side

CyberChef runs entirely in your browser. No data leaves the page. That single design decision is what makes it usable on the data you actually have, which is usually the data you’re not allowed to paste into a third-party service. A suspicious base64 blob from a phishing email, a JWT pulled from an authenticated session, the contents of a file someone exfiltrated and you’re now triaging: all of that stays local.

It also means you can run CyberChef where the internet isn’t. The whole app ships as a single HTML file you can download from the releases page and double-click on an air-gapped host. There is a Docker image if you want to host an internal instance. The live version at gchq.github.io/CyberChef is fine for non-sensitive work, and for sensitive work the local copy is the same code.

This combination is rarer than it should be. Most “useful web tools” for operators are someone’s SaaS in disguise, and the moment you paste a real artifact into them you’ve created a disclosure incident you didn’t mean to. CyberChef is the version of that pattern where the privacy story is the architecture, not a promise on the marketing page.

Where it doesn’t fit

CyberChef is a tool for ad-hoc work, not for production pipelines. The right place to decode base64 inside a service is the language’s standard library, not a headless browser running a recipe. Operators who reach for CyberChef inside a Lambda or a scheduled job are usually a refactor away from being happier.

In-browser execution is a feature for confidentiality and a constraint for size. Very large inputs will choke the page, and the operations that have to keep intermediate state in memory will choke it sooner. If the input is a multi-gigabyte capture, you want a different tool.

Shared installations accumulate recipe sprawl. Every analyst saves their favorites, none of them are documented, and three years later nobody knows which of the seven “decode the thing” recipes is the current one. The recipe-sharing model is a strength when you treat recipes as code; it is a liability when you treat them as scratch.

Get it

Live instance: https://gchq.github.io/CyberChef/

Source and standalone HTML download: https://github.com/gchq/CyberChef

The shortest version of the recommendation: install it before you need it. The next time a ticket lands with a base64 blob and a question mark, the version of you that already has CyberChef bookmarked will finish the triage in two minutes, and the version that doesn’t will reinvent a Python script that the person before them also reinvented. The tool is free, runs offline, and was written by an intelligence agency that decided sharing it was worth more than keeping it. That is a strong enough endorsement that the only remaining question is which tab you put it in.