CyberChef
GCHQ open-sourced its "Cyber Swiss Army Knife", and CyberChef became the web app security analysts, incident responders, and CTF players reach for when data needs decoding, decrypting, or dissecting. Its interface is four panes: paste or drag input (files up to 2GB), search a categorized library of hundreds of operations, drag them into a recipe with arguments, and read the output. Operations span Base64, hex, and XOR encoding; AES, DES, and Blowfish encryption; classical ciphers from Caesar to Railfence; hashes and checksums; compression; regex and string extraction of IPs, domains, and URLs; timestamp conversion; and parsers for IPv6, X.509 certificates, and more. Recipes chain arbitrarily - convert from a hexdump then decompress, decrypt AES pulling the IV from the cipher stream, or let the Magic operation auto-detect several layers of nested encoding. Auto Bake re-runs the recipe live as input or arguments change, Step executes one operation at a time for debugging, and flow control (forks, subsections, registers) applies different operations to different parts of the data. Recipes save to files or share as URLs encoding the full pipeline. Crucially, CyberChef is entirely client-side JavaScript - nothing uploads anywhere - and self-hosting guarantees an unmodified copy inside your own network, where malware artifacts belong.
It Tools
The utilities engineers otherwise scatter across a dozen ad-laden websites - 80+ of them - live together in IT-Tools, one fast, polished web app. Crypto covers JWT decoding, MD5 through SHA-512 hashing, HMAC and bcrypt generation, RSA key pairs, and password strength analysis. Converters handle JSON to CSV, YAML, and TOML, Base64 files, URL encoding, HTML entities, color formats, and Docker run commands to Compose files. Generators produce UUIDv4, ULID, BIP39 mnemonics, QR codes (including Wi-Fi QR), and tokens; text tools include a regex tester, diff viewer, slug and case converters; web utilities parse URLs and user agents, look up HTTP status codes and MIME types, and inspect Open Graph metadata; plus a cron parser, chmod calculator, and more. The privacy argument is the point: JWTs contain user IDs, hashes derive from passwords, JSON dumps hold PII - exactly the inputs you least want a third-party utility site to log. IT-Tools is a frontend-only static bundle (Vue/TypeScript, GPL-3.0, 39k+ GitHub stars) served by Nginx in one container, so everything runs client-side on your infrastructure with nothing transmitted anywhere. New tools ship roughly monthly, and a scaffolding script makes adding custom ones straightforward.