CyberChef

Built by UK intelligence, used by everyone — an honest look at the open-source Swiss Army knife for encoding, encryption, and data wrangling.

TL;DR

• What it is: A free, client-side web app for encoding, decoding, encrypting, hashing, and transforming data — built by GCHQ, the UK signals intelligence agency, and released as Apache-2.0 open source [3].
• Who it’s for: Security analysts, CTF competitors, developers who need to decode API responses or parse certificates without installing a dozen separate tools. Less directly useful for non-technical founders, but anyone who touches encoded data will eventually land here [1][4].
• Cost savings: CyberChef replaces nothing you’re paying for — it’s free, hosted on GitHub Pages, and entirely client-side. The value isn’t escaping a SaaS bill; it’s collapsing 20 separate tools into one browser tab [2][3].
• Key strength: Everything runs in the browser. Your input never touches a server. You can download the entire app as a single zip file and run it offline — or self-host it in 30 seconds with Docker [2][3].
• Key weakness: It’s a manual, interactive tool — not automatable in the same way as a CLI pipeline. The interface has a learning curve for newcomers, and the “recipe” system, while powerful, can feel overwhelming until you know what you’re looking for [1][4].

---

What is CyberChef

CyberChef is a web application, originally built by an analyst at GCHQ over several years of “10% innovation time,” that lets you chain data transformation operations together in a visual interface [3]. The project calls itself “The Cyber Swiss Army Knife,” which is accurate if slightly understated. It currently has 34,333 GitHub stars and is actively maintained, with version 10.22.1 as of this review.

The interface has four panels: an input box where you paste or drag your data, an output box showing the result, an operations list on the left with every available transformation organized into categories, and a recipe area in the middle where you drag operations and chain them [README]. You drop in Base64-encoded text, drag the “From Base64” operation into the recipe, and the decoded output appears immediately — automatically, without clicking a button, thanks to the “Auto Bake” feature.

What makes it practically useful rather than just technically interesting is the breadth of operations. The complete category list includes: Data Format, Encryption/Encoding, Public Key, Arithmetic/Logic, Networking, Language, Utils, Date/Time, Compression, Hashing, Code Tidy, Forensics, Multimedia, Flow Control [3]. From that list, you get operations like AES/DES/Blowfish encryption and decryption, XOR, Base64, hexdump conversion, gzip/zlib compression, MD5/SHA1/SHA256, regex extraction, X.509 certificate parsing, JWT decoding, IPv6 address parsing, and hundreds more.

The project was conceived at a British intelligence agency, which gives it an unusual pedigree. The result is a tool designed by people whose job literally involves decoding intercepted data at scale — which explains why it’s so complete [3]. GCHQ still maintains it; the copyright notice reads “Crown Copyright 2016–2026.”

---

Why people choose it

The consistent thread across every review is the same: CyberChef eliminates the friction of “I need to quickly decode this thing and I don’t want to write a script or Google five different tools.”

HackerTarget’s guide [1] frames it as the go-to for analysts who need to pull email addresses from a document, decode Base64 payloads from suspicious files, or run regex across a blob of text — tasks that would otherwise require a Python script or a pile of browser bookmarks to online converters. The tutorial is explicit that it’s useful specifically because it works the same way across devices without installing anything.

The alphasec.io review [2] emphasizes a point that matters more as privacy concerns grow: CyberChef is entirely client-side. Nothing you paste into CyberChef is ever sent to any server. The README is explicit about this: “It should be noted that none of your recipe configuration or input (either text or files) is ever sent to the CyberChef web server.” For analysts handling sensitive data — credentials, certificates, patient records, API keys — this isn’t a nice-to-have; it’s load-bearing. The online version at gchq.github.io/CyberChef runs entirely in your browser; GCHQ’s server delivers the JavaScript bundle and then has nothing more to do with your session [2][README].

I-programmer’s review from 2019 [3] — which aged surprisingly well — makes the comparison to Ghidra, NSA’s reverse engineering tool, and notes that CyberChef is more generally useful precisely because it’s not specialized. A CTF player decoding nested encryption layers, a developer parsing a JWT token, and a sysadmin converting a certificate to PEM format are using the same tool for completely different purposes.

The recipe system is what separates CyberChef from just using a collection of online converters. You can chain operations — Base64 decode, then gunzip, then extract URLs with regex — save the recipe, and apply it to new input instantly [3][4]. Shared recipes are a real part of the community: security researchers post recipes for decoding specific malware obfuscation patterns, and you can load them directly from a URL [3].

The “Magic” operation is worth mentioning separately. CyberChef uses multiple heuristic techniques to automatically detect what kind of encoding your data is under, then suggests (and can auto-apply) the operations needed to decode it [README]. Paste in a blob of garbled text and click Magic — it will often figure out that it’s Base64-encoded gzip-compressed JSON without you having to guess [1].

---

Features

Core transformations:

• Encoding/decoding: Base64, URL, HTML, hex, binary, octal, charcode, decimal, etc. [3]
• Encryption/decryption: AES (ECB, CBC, CTR, GCM, OFB, CFB), DES, Triple DES, Blowfish, RC2, RC4 [3][README]
• Hashing: MD5, SHA1, SHA2 family, SHA3, HMAC, CRC, Adler [3]
• Compression: gzip, zlib, bzip2, zstd, LZMA, Brotli [3]
• Data format conversion: hexdump, binary, hex, base2–36, float representations [3]
• Public key / certificates: X.509 parsing, PEM/DER conversion, JWT decode, PGP operations [3]

Analysis operations:

• Regex extraction with 13 built-in patterns (URLs, IPs, email addresses, MAC addresses, file paths) [1]
• Fork: run an entire recipe against each line of multi-line input separately — handles batch processing [README]
• Breakpoints: pause recipe execution mid-chain to inspect intermediate state [README]
• Entropy calculation, frequency analysis, string extraction, EXIF data extraction [3]

Interface features:

• Auto Bake: output updates live as you type or change the recipe [README]
• Magic: auto-detect encoding and suggest decoding operations [README]
• Input/output highlighting: select bytes in input, see the corresponding bytes highlighted in output [README]
• Files up to 2GB can be dragged directly into the input box [README][1]
• Offline mode: download as a single zip, run from a USB stick with no network [3]
• Multiple themes, word wrap, configurable error display [website]
• Recipes can be saved locally, shared via deep link (URL encodes the full recipe) [2][3]

Self-hosted API (CyberChef Server):

• A separate cyberchef-server package exposes an HTTP API for baking recipes programmatically [3]
• Clients can POST a recipe and input to get transformed output — useful for integrating CyberChef transformations into automated pipelines

---

Pricing: SaaS vs self-hosted math

This section is simpler than usual: CyberChef has no pricing. It’s Apache-2.0 licensed, hosted for free on GitHub Pages, and the self-hosted version costs nothing beyond your hosting. There is no premium tier, no per-request billing, no enterprise upsell.

The live demo at https://gchq.github.io/CyberChef is free and always has been. The Docker image at ghcr.io/gchq/cyberchef:latest is public and free to pull [README].

What you’re replacing when you use CyberChef isn’t a paid SaaS subscription — it’s a collection of separate tools and the cognitive overhead of managing them. Without CyberChef, a security analyst might use one bookmarked site for Base64, a different one for hex conversion, a local Python script for AES, and OpenSSL on the command line for certificates. CyberChef collapses that into a single URL.

If you’re comparing desktop alternatives: SafeUtils [5] charges $19 as a one-off purchase for 110+ tools running natively on macOS/Linux/Windows. DevToys is free and open source. For pure cost, CyberChef wins (free), but it lives in the browser rather than running natively — relevant if you work with very large files or need full OS integration.

The only real cost is hosting, if you choose to self-host instead of using the GitHub Pages version:

• Docker on a $5/mo VPS: ~$5/mo
• Netlify/Vercel/Render static deploy: $0 (it’s a static app)
• Local machine: $0

---

Deployment reality check

Self-hosting CyberChef is probably the easiest deployment in this category [2]. Two options from the README:

Build from source:

docker build --tag cyberchef --ulimit nofile=10000 .
docker run -it -p 8080:80 cyberchef

Pre-built image (recommended):

docker run -it -p 8080:80 ghcr.io/gchq/cyberchef:latest

Then visit http://localhost:8080. That’s the entire deployment guide [README].

Because CyberChef is a static web application with no database, no backend API, and no user accounts, there’s no state to manage, no secrets to protect, and no persistence layer to configure. A reverse proxy for HTTPS is optional but straightforward. The alphasec.io review [2] walks through deployments on Railway and Render as one-click operations — both work because the app is genuinely just static files being served.

What can go wrong:

• The build process (if building from source) requires a high nofile ulimit — the --ulimit nofile=10000 flag is non-obvious and missing from many unofficial deployment guides [README].
• Very large inputs (1GB+) can cause browser performance issues. The app will warn you and offer file downloads for large outputs instead of rendering in the UI [README].
• The CyberChef Server (API) variant requires separate setup and is not included in the basic Docker image — if you want programmatic access, look for the cyberchef-server npm package [3].
• CyberChef’s cryptographic implementations explicitly disclaim security guarantees in the README: “Cryptographic operations in CyberChef should not be relied upon to provide security in any situation.” It’s for analysis and understanding, not production cryptography [README].

Realistic setup time: 5–15 minutes if you have Docker. There’s genuinely nothing complex here.

---

Pros and Cons

Pros

• Entirely client-side. Data never leaves your browser. You can use the live version for sensitive data without privacy concerns — no telemetry, no server-side logging [2][README]. This is verified behavior, not a marketing claim.
• Apache-2.0 licensed. Genuinely open source with no commercial restrictions. Fork it, embed it, redistribute it — no licensing discussions needed [3].
• 34,333 GitHub stars. Not a niche tool. It’s actively maintained with community contributions and a regular release cadence (v10.22.1 as of this review) [README].
• Works offline. Download a single zip, put it on a USB drive, run it anywhere without network access [3]. Useful in air-gapped environments.
• Genuinely free, no tiers. No “free plan with limits.” Every operation, every feature, no account required [2][3].
• Recipe chaining. Multi-step transformations are first-class, not an afterthought. Recipes are shareable, loadable from URL, and savable locally [3][4].
• Magic detection. Auto-detects nested encodings and suggests operations — saves significant time when you don’t know what encoding you’re looking at [1][README].
• Trivial to self-host. One Docker command, no database, no configuration [README][2].

Cons

• Not automatable without the server variant. The UI is interactive and not scriptable by itself. Batch processing requires either the Fork operation within the UI or standing up the separate CyberChef Server API [3].
• Operations catalog is overwhelming at first. Hundreds of operations without prior context can make it hard to know where to start. HackerTarget’s tutorial [1] exists precisely because “there’s a box and a lot of options” isn’t a good onboarding experience.
• No cryptographic security guarantees. The README explicitly warns against relying on CyberChef’s implementations for actual security [README]. It’s for analysis, not for building production cryptographic systems.
• Primarily a technical tool. Despite the GitHub description claiming it’s for “both technical and non-technical analysts,” non-technical users will find it confusing without guidance [1][4]. The benefit clicks once you know what encoding is.
• No collaboration features. No shared workspaces, no history, no teams. Recipes are shared via URL or local storage only [README].
• Desktop apps (DevToys, SafeUtils) have better OS integration. File system access, system clipboard integration, and performance on large files are better on native desktop alternatives [5].
• Browser dependency. Running 2GB files through multiple transformations in a browser tab is noticeably slower than native CLI tools.

---

Who should use this / who shouldn’t

Use CyberChef if:

• You’re a security analyst, CTF player, or penetration tester who regularly decodes, decrypts, or transforms data and wants one consistent tool instead of a pile of bookmarks [1][3][4].
• You’re a developer debugging encoded API responses, JWT tokens, certificates, or binary protocols and want to inspect intermediate steps without writing throwaway scripts [3].
• You’re working with sensitive data and need absolute confidence it doesn’t leave your machine — the client-side guarantee is real and verifiable [2][README].
• You need an offline-capable tool for air-gapped or restricted network environments [3].
• You want to share a reproducible data transformation recipe with a colleague — the URL-based recipe sharing works well for collaboration [3].

Skip it if:

• You need to automate transformations over many inputs without a GUI. Use CyberChef Server, or better, write the pipeline in Python/shell with standard libraries [3].
• You’re a non-technical founder who doesn’t touch encoded data, certificates, or binary formats. This tool won’t solve your problems.
• You need production-grade cryptographic operations. Use a proper cryptographic library; CyberChef is for analysis, not securing data [README].
• You want a native desktop experience with full file system access. DevToys (free, open source) or SafeUtils ($19 one-time) are better for that use case [5].

---

Alternatives worth considering

• DevToys — Free, open source, Windows desktop app (Mac version available separately). Similar concept with a curated, focused set of dev tools. Better native integration, smaller operation catalog than CyberChef [5].
• SafeUtils — $19 one-time, macOS/Linux/Windows native desktop app with 110+ tools oriented toward sensitive data handling. The native UI is cleaner than CyberChef’s browser interface [5].
• CyberChef Server — The API variant of CyberChef itself, exposable over HTTP for programmatic use. First choice if you want to automate CyberChef recipes [3].
• Python with standard libraries — For anyone comfortable with code, base64, hashlib, cryptography, and struct modules replace most CyberChef operations with fully scriptable, automatable logic.
• dCode.fr — Browser-based, no install, focused on CTF decoding and classical ciphers. Less comprehensive than CyberChef but useful for cipher-specific work.
• OpenSSL (CLI) — For certificate and key operations specifically, OpenSSL is more reliable and production-safe than CyberChef’s implementations.

The realistic comparison for most users is CyberChef vs. a collection of specialized online tools. CyberChef wins that comparison on privacy (client-side) and the recipe chaining feature alone.

---

Bottom line

CyberChef is one of the few genuinely free tools that delivers exactly what it promises. A GCHQ analyst built the thing they needed and open-sourced it under Apache-2.0, and the result is a 34K-star project that the security community adopted without needing to be convinced. The client-side privacy guarantee, offline capability, and recipe system make it the obvious choice for anyone who regularly manipulates encoded or encrypted data. The limitations are real — it’s not a CLI tool, not automatable without separate server setup, and not appropriate for production cryptography — but within its scope it’s hard to improve on. If you’ve ever opened four different browser tabs to decode a single suspicious string, CyberChef eliminates that permanently.

---

Sources

1. jody-admin, HackerTarget — “Cyberchef Tutorial and Tips” (February 24, 2025). https://hackertarget.com/cyberchef-tutorial-tips/
2. AlphaSec — “CyberChef: The Cyber Swiss Army Knife”. https://alphasec.io/cyberchef-the-cyber-swiss-army-knife/
3. Nikos Vaggalis, I-Programmer — “CyberChef - The Developer’s Ultimate Toolbox” (September 24, 2019). https://www.i-programmer.info/news/90-tools/13117-cyberchef-the-developers-ultimate-toolbox.html
4. ItsReleased — “Cyberchef: Simplifying Data Manipulation Analysis in Cybersecurity”. https://itsreleased.com/cyberchef/
5. SaaSHub — “DevKnife Alternatives & Competitors” (listing CyberChef as an alternative). https://www.saashub.com/devknife-alternatives

Primary sources:

• GitHub repository and README: https://github.com/gchq/CyberChef (34,333 stars, Apache-2.0 license)
• Official live demo: https://gchq.github.io/CyberChef
• Docker image: https://ghcr.io/gchq/cyberchef:latest