The Three Major Defanging Styles
In the cybersecurity community, three primary URL defanging styles have emerged, each with distinct characteristics, advantages, and use cases. Understanding these formats helps security professionals communicate effectively with different audiences and choose the right approach for their specific needs.
All three styles serve the same fundamental purpose—making potentially malicious indicators safe to share—but they differ significantly in their implementation, reversibility, and community adoption.
CyberChef Style: The Community Standard
Format Specification
The CyberChef style, named after the popular open-source data transformation tool developed by GCHQ (UK's intelligence agency), has become the de facto standard in the threat intelligence community:
Protocol transformation:
http://becomeshxxp://https://becomeshxxps://
Domain and IP transformation:
- Replace periods (
.) with[.]
Complete example:
Original: https://malicious-site.com/payload.exe
Defanged: hxxps://malicious-site[.]com/payload[.]exe
Original: http://192.168.1.100:8080/beacon
Defanged: hxxp://192[.]168[.]1[.]100:8080/beacon
Why It's the Most Popular
Widespread Recognition: Security professionals worldwide instantly recognize hxxp and [.] as defanged indicators. This shared language facilitates communication across organizations, conferences, and public forums.
Tool Support: Virtually every threat intelligence platform, SIEM, and security tool supports CyberChef-style defanging:
- MISP (Malware Information Sharing Platform)
- OpenCTI (Open Cyber Threat Intelligence)
- TheHive (incident response platform)
- AlienVault OTX (Open Threat Exchange)
- VirusTotal comments and reports
Easy Refanging: Converting CyberChef-defanged URLs back to their original form requires only simple find-and-replace operations:
def refang_cyberchef(defanged_url):
refanged = defanged_url.replace('hxxp://', 'http://')
refanged = refanged.replace('hxxps://','https://')
refanged = refanged.replace('[.]', '.')
return refanged
Compact Format: CyberChef-style defanging adds minimal characters (two extra brackets per period), keeping indicators readable and space-efficient—critical for Twitter threads, Slack messages, and dense threat reports.
Historical Precedent: The format originated from early malware analysis communities and has been refined over 15+ years of practical use.
When to Use CyberChef Style
Threat Intelligence Reports: When publishing research, IOC lists, or campaign analysis for the security community.
Example:
## Campaign Infrastructure
C2 Servers:
- hxxps://c2-primary[.]evil-domain[.]com
- hxxp://185[.]220[.]101[.]44:443
- hxxps://backup-c2[.]malicious[.]net
Phishing URLs:
- hxxps://paypa1-secure[.]com/login
- hxxps://microsoft-verify[.]tk/oauth
OSINT Sharing: When posting findings on Twitter, Reddit, or security forums where CyberChef style is expected.
Malware Analysis Writeups: Technical blog posts breaking down malware samples and their infrastructure.
Security Team Communications: Internal Slack channels, email threads, and collaboration where team members understand the format.
Bracket Style: Explicit and Formal
Format Specification
The Bracket style surrounds ALL special characters with brackets, providing explicit notation:
Complete bracketing:
://becomes[:]//or[://].becomes[.]:(port separator) becomes[:]@becomes[@]
Complete examples:
Original: https://malicious.com:8080/path
Defanged: https[:]//malicious[.]com[:]8080/path
Original: http://[email protected]
Defanged: http[:]//attacker[@]evil[.]com
Original: 192.168.1.1:443
Defanged: 192[.]168[.]1[.]1[:]443
Advantages of Bracket Style
Maximum Clarity: Every defanged character is explicitly marked, leaving no ambiguity about which parts have been modified.
Consistent Pattern: The uniform bracketing approach makes it easy to identify all transformed characters at a glance.
Educational Value: Perfect for training materials where you want to emphasize which characters make URLs "active."
Format Flexibility: Some implementations bracket the entire protocol ([http://]) for even more explicit defanging.
Formal Documentation: Suits academic papers, compliance reports, and official documentation where precision is paramount.
Refanging Bracket Style
Refanging bracket-style URLs requires stripping all brackets:
import re
def refang_bracket(defanged_url):
# Remove all bracket pairs
refanged = re.sub(r'\[([^\]]+)\]', r'\1', defanged_url)
return refanged
# Example
defanged = "https[:]//evil[.]com[:]8080/path"
original = refang_bracket(defanged)
# Result: "https://evil.com:8080/path"
When to Use Bracket Style
Compliance Documentation: When submitting IOCs to regulatory bodies, law enforcement, or audit reports.
Example:
Incident Report #2025-0042
Malicious indicators observed:
- URL: http[:]//phishing-site[.]com/verify
- Email: attacker[@]malicious[.]net
- IP: 203[.]0[.]113[.]42[:]8080
Academic Research: Security research papers published in journals or presented at conferences.
Cross-Organization Sharing: When sharing IOCs with partners who may not be familiar with CyberChef conventions.
Legal Evidence: Court filings or law enforcement reports where explicit notation prevents misinterpretation.
Aggressive Style: Maximum Safety
Format Specification
The Aggressive style replaces characters with descriptive text placeholders:
Descriptive replacements:
http://becomesh**p[PROTOCOL]https://becomesh**ps[PROTOCOL].becomes[DOT]:becomes[COLON]/becomes[SLASH]@becomes[AT]
Complete examples:
Original: https://malicious.com/payload.exe
Defanged: h**ps[PROTOCOL]malicious[DOT]com[SLASH]payload[DOT]exe
Original: http://192.168.1.1:8080
Defanged: h**p[PROTOCOL]192[DOT]168[DOT]1[DOT]1[COLON]8080
Original: [email protected]
Defanged: attacker[AT]phishing[DOT]net
Advantages of Aggressive Style
Impossible to Mistake: No one could accidentally treat h**ps[PROTOCOL]evil[DOT]com as a real URL—it's unmistakably defanged.
Self-Documenting: Each placeholder explains what it represents ([DOT], [COLON], [SLASH]), making it perfect for audiences unfamiliar with defanging.
Training Excellence: Ideal for security awareness training where you want employees to understand the concept immediately.
Maximum Safety: Even buggy parsers or aggressive auto-linkers won't accidentally activate these URLs.
Presentation-Friendly: Great for slides, videos, and screenshots where clarity trumps brevity.
Disadvantages of Aggressive Style
Verbose: Takes significantly more space than other formats, problematic for dense reports or character-limited platforms (Twitter, text messages).
Non-Standard: Not widely adopted in professional threat intelligence sharing, requiring explanation for recipients.
Complex Refanging: Requires custom parsers and careful mapping of placeholders back to original characters:
def refang_aggressive(defanged_url):
replacements = {
'[PROTOCOL]': '://',
'[DOT]': '.',
'[COLON]': ':',
'[SLASH]': '/',
'[AT]': '@',
'h**p': 'http',
'h**ps': 'https'
}
refanged = defanged_url
for placeholder, original in replacements.items():
refanged = refanged.replace(placeholder, original)
return refanged
Readability Trade-off: While unmistakably defanged, the verbose format can be harder to quickly parse, especially in long IOC lists.
When to Use Aggressive Style
Security Awareness Training: Teaching employees about phishing, malware, and safe URL handling.
Example:
⚠️ Phishing Example (DO NOT CLICK):
Fake URL: h**ps[PROTOCOL]paypa1-secure[DOT]com[SLASH]verify
Real PayPal: https://www.paypal.com
Public Presentations: Conference talks, webinars, YouTube videos where URLs need to be unmistakably safe.
Screenshots and Documentation: When capturing IOCs in images where viewers might not understand subtle defanging.
Executive Summaries: Reports for non-technical stakeholders who need to understand threats without security background.
Social Media Posts: Blog comments, forum posts, or social media where automated parsers are aggressive.
Comparative Analysis
Format Comparison Table
| Feature | CyberChef | Bracket | Aggressive |
|---|---|---|---|
| Recognition | ★★★★★ Universal | ★★★☆☆ Formal | ★★☆☆☆ Limited |
| Brevity | ★★★★★ Compact | ★★★★☆ Moderate | ★★☆☆☆ Verbose |
| Clarity | ★★★★☆ Clear | ★★★★★ Explicit | ★★★★★ Unmistakable |
| Refanging | ★★★★★ Trivial | ★★★★☆ Easy | ★★★☆☆ Complex |
| Tool Support | ★★★★★ Universal | ★★★★☆ Good | ★★☆☆☆ Limited |
| Training Value | ★★★☆☆ Assumed knowledge | ★★★★☆ Educational | ★★★★★ Self-explanatory |
Example Comparison
Same URL in all three formats:
Original URL:
https://attacker-c2.evil-domain.com:8080/api/beacon.php
CyberChef Style:
hxxps://attacker-c2[.]evil-domain[.]com:8080/api/beacon[.]php
Bracket Style:
https[:]//attacker-c2[.]evil-domain[.]com[:]8080/api/beacon[.]php
Aggressive Style:
h**ps[PROTOCOL]attacker-c2[DOT]evil-domain[DOT]com[COLON]8080[SLASH]api[SLASH]beacon[DOT]php
Hybrid Approaches
Some organizations combine styles for different parts of their workflows:
Tiered Communication
Internal analysts (CyberChef): Quick, efficient communication within security teams who understand the format.
Cross-department sharing (Bracket): More explicit format when sharing with IT, legal, or management.
External training (Aggressive): Maximum clarity for customer-facing security awareness materials.
Context-Sensitive Defanging
Technical reports: CyberChef for space efficiency Email signatures: Bracket for formal communications Help desk articles: Aggressive for end-user clarity
Choosing the Right Style
Decision Framework
Ask yourself:
1. Who is the audience?
- Security professionals → CyberChef
- Formal/legal contexts → Bracket
- General public/training → Aggressive
2. What's the distribution channel?
- Threat intelligence platforms → CyberChef
- Email/documents → Bracket or CyberChef
- Presentations/training → Aggressive
3. How important is space efficiency?
- Twitter/SMS/dense reports → CyberChef
- Standard documents → Bracket
- Clarity over brevity → Aggressive
4. Will recipients need to refang?
- Yes, immediately → CyberChef
- Yes, eventually → Bracket
- No, display only → Aggressive
5. Is tool compatibility crucial?
- MISP/SIEM integration → CyberChef
- Manual processing → Any style
- Automated parsing → CyberChef or Bracket
Best Practices
Consistency Within Documents
Once you choose a style, stick with it throughout a single document or communication:
❌ INCONSISTENT:
- hxxps://evil[.]com (CyberChef)
- https[:]//bad[.]net (Bracket)
- h**ps[PROTOCOL]ugly[DOT]org (Aggressive)
✅ CONSISTENT:
- hxxps://evil[.]com
- hxxps://bad[.]net
- hxxps://ugly[.]org
Documenting Your Choice
Include a note explaining your defanging format, especially for external recipients:
## Indicators of Compromise
Note: URLs are defanged using CyberChef format (hxxp/hxxps and [.])
to prevent accidental clicks. Replace hxxp→http, hxxps→https, [.]→.
to restore original URLs for analysis in controlled environments.
Malicious domains:
- hxxps://phishing-site[.]com
- hxxp://malware-cdn[.]net
Automation and Tooling
Use dedicated tools rather than manual find-and-replace to ensure consistency and avoid errors:
- CyberChef: Web-based, supports all formats
- Python libraries:
iocextract,defang - Online tools: Our URL Defanger supports all three formats with one-click conversion
Conclusion
While CyberChef style dominates professional threat intelligence sharing, Bracket and Aggressive formats each serve important niches. Understanding all three enables you to communicate effectively across different contexts:
- CyberChef for daily security operations and threat intelligence
- Bracket for formal documentation and cross-organizational sharing
- Aggressive for training, awareness, and general public communication
The key is choosing the right tool for your audience and use case, then applying it consistently. Whichever format you choose, the goal remains the same: safely sharing threat intelligence without putting your colleagues, organization, or community at risk.
Need to convert between formats or defang URLs quickly? Try our URL Defanger Tool with support for all three major defanging styles and automatic format detection for refanging.
