# ghostkit.net - Full LLM Content

> Security tools directory, browser toolkit, URL scanner, and MCP server for AI-assisted security workflows.

## Browser Toolkit (33 tools at /toolkit)

### Decode & Transform

- [JS Deobfuscator](https://ghostkit.net/toolkit/js-deobfuscator): Decode hex, unicode, base64, String.fromCharCode, unpack arrays, unwrap eval() — all client-side in your browser.
- [Encoder / Decoder](https://ghostkit.net/toolkit/decoder): Convert between Base64, Hex, URL encoding, HTML entities, Unicode escapes, and Octal. Auto-detect encoding format.
- [JWT Decoder](https://ghostkit.net/toolkit/jwt-decoder): Decode and inspect JSON Web Tokens. View header, payload, claims, expiry status, and security warnings.
- [SAML Decoder](https://ghostkit.net/toolkit/saml-decoder): Decode base64-encoded SAML responses and assertions. View issuer, subject, attributes, conditions, and authentication context.
- [Base64 Image Viewer](https://ghostkit.net/toolkit/base64-image): Decode base64-encoded images and data URIs. Preview hidden images embedded in HTML, CSS, or JavaScript.
- [QR Code Reader/Generator](https://ghostkit.net/toolkit/qr-code): Generate QR codes from text or URLs with customizable error correction. Read and decode QR codes from uploaded images.

### Inspect & Analyze

- [URL Analyzer](https://ghostkit.net/toolkit/url-analyzer): Break down suspicious URLs into components, detect phishing indicators, check for homoglyphs, and defang for safe sharing.
- [Email Headers](https://ghostkit.net/toolkit/email-header-analyzer): Parse email headers to trace message routes, check SPF/DKIM/DMARC authentication, and detect spoofing indicators.
- [CSP Analyzer](https://ghostkit.net/toolkit/csp-analyzer): Analyze Content-Security-Policy headers for risks. Detect unsafe-inline, unsafe-eval, wildcards, grade your policy A-F, and get fix suggestions.
- [CORS Checker](https://ghostkit.net/toolkit/cors-checker): Analyze CORS response headers for misconfigurations. Detect wildcard origins, exposed headers, credential leaks, and preflight issues.
- [Character Inspector](https://ghostkit.net/toolkit/char-inspector): Inspect text for homoglyphs, zero-width characters, mixed scripts, and invisible Unicode. Detect phishing and text manipulation.
- [Cookie Analyzer](https://ghostkit.net/toolkit/cookie-analyzer): Parse Set-Cookie headers and cookie strings. Check Secure, HttpOnly, SameSite flags, expiry, domain scope, and spot common misconfigurations.
- [Entropy Analyzer](https://ghostkit.net/toolkit/entropy-analyzer): Calculate Shannon entropy of text or files. Detect encrypted, compressed, or obfuscated data with byte frequency histograms.
- [Hex Viewer](https://ghostkit.net/toolkit/hex-viewer): View binary data as hex + ASCII with automatic file signature detection. Identify file types by magic bytes and inspect headers.
- [EXIF Viewer](https://ghostkit.net/toolkit/exif-viewer): Upload an image to extract EXIF metadata. View camera model, exposure settings, GPS coordinates, timestamps, and lens info. Flags privacy-sensitive location data.
- [HTTP Response Inspector](https://ghostkit.net/toolkit/http-response-inspector): Paste raw HTTP responses to parse status, headers, and body. Flags missing security headers, info leaks, and misconfigurations.
- [Certificate Decoder](https://ghostkit.net/toolkit/cert-decoder): Decode PEM certificates to view subject, issuer, SANs, validity, key algorithm, and extensions. Check expiry and signature strength.
- [CSR Decoder](https://ghostkit.net/toolkit/csr-decoder): Decode PEM-encoded Certificate Signing Requests. View subject, key algorithm, key size, SANs, and requested extensions.
- [DNS Lookup](https://ghostkit.net/toolkit/dns-lookup): Resolve DNS records for any domain. Query A, AAAA, MX, TXT, NS, CNAME, SOA, and more. Detect mail provider, SPF, DMARC, and DKIM status.
- [SSH Key Analyzer](https://ghostkit.net/toolkit/ssh-key-analyzer): Parse SSH public and private keys. View key type, bit strength, fingerprints, encryption status, and security assessment.

### Format & Compare

- [JSON Formatter](https://ghostkit.net/toolkit/json-formatter): Format, validate, and inspect JSON with a collapsible tree view. Copy JSON paths, minify, and load security-focused example payloads.
- [YAML/TOML Formatter](https://ghostkit.net/toolkit/yaml-toml-formatter): Validate and pretty-print YAML and TOML config files. Auto-detects format, converts to JSON, and counts keys.
- [Code Diff](https://ghostkit.net/toolkit/code-diff): Compare two code snippets side-by-side. Spot differences between original and modified files with line-by-line highlighting.
- [Regex Tester](https://ghostkit.net/toolkit/regex-tester): Test regular expressions with real-time match highlighting. Built-in security patterns for IPs, hashes, JWTs, AWS keys, and more.
- [Timestamps](https://ghostkit.net/toolkit/timestamp-converter): Convert between Unix timestamps, ISO 8601, and human-readable dates. Auto-detect format, date math, relative time, and epoch references.
- [Cron Parser](https://ghostkit.net/toolkit/cron-parser): Parse cron expressions into plain English. Validate syntax, see next run times, and use quick presets for common schedules.
- [XML Formatter](https://ghostkit.net/toolkit/xml-formatter): Format, minify, and validate XML. Counts elements and attributes, detects mismatched tags and structural errors.
- [SQL Formatter](https://ghostkit.net/toolkit/sql-formatter): Format, minify, and analyze SQL queries. Auto-indents keywords, reports table usage, joins, subqueries, and statement count.
- [HTML Prettifier](https://ghostkit.net/toolkit/html-prettifier): Format, minify, and analyze HTML. Auto-indents tags, reports element counts, IDs, classes, and structure.

### Crypto & Network

- [Hash Generator](https://ghostkit.net/toolkit/hash-generator): Compute MD5, SHA-1, SHA-256, and SHA-512 hashes from text or files. Compare against known hashes for integrity checks.
- [Password Generator](https://ghostkit.net/toolkit/password-generator): Generate cryptographically secure passwords and passphrases. Check entropy, estimate crack time, and customize length, character sets, and word count.
- [RSA/EC Key Generator](https://ghostkit.net/toolkit/key-generator): Generate RSA, ECDSA, ECDH, and Ed25519 keypairs in PEM format. Uses the Web Crypto API, all keys stay in your browser.
- [HMAC Generator](https://ghostkit.net/toolkit/hmac-generator): Compute HMAC signatures for webhook verification and API auth. Supports SHA-256, SHA-512, SHA-1 with hex and base64 output.
- [UUID Generator](https://ghostkit.net/toolkit/uuid-generator): Generate random v4 UUIDs in bulk or parse existing UUIDs to extract version, variant, and timestamps for v1/v7.
- [TOTP Generator](https://ghostkit.net/toolkit/totp-generator): Generate time-based one-time passwords from a base32 secret. Live countdown, adjacent codes for clock-skew debugging.
- [IP/CIDR Calculator](https://ghostkit.net/toolkit/ip-calculator): Parse IP addresses, calculate subnet masks, expand CIDR ranges, detect private/reserved networks, and check subnet membership.

### Web3 & Blockchain

- [Keccak-256 Hasher](https://ghostkit.net/toolkit/keccak-hasher): Compute Keccak-256 hashes from text or hex input. Generate Ethereum function selectors, event topics, and storage slots.
- [ABI Decoder](https://ghostkit.net/toolkit/abi-decoder): Decode Ethereum transaction calldata into human-readable function calls and parameters. Detect token transfers, approvals, and swaps.
- [Transaction Decoder](https://ghostkit.net/toolkit/tx-decoder): Parse raw RLP-encoded Ethereum transactions. Inspect nonce, gas, value, chain ID, and signature fields for Legacy, EIP-2930, and EIP-1559 types.

## External Security Tool Providers

### Code Deobfuscation

- [CyberChef](https://ghostkit.net/providers/cyberchef) [online] (free): The cyber Swiss Army knife. Drag-and-drop operations into recipes for encoding, decoding, encryption, and data analysis—all in your browser.
- [DecodePHP](https://ghostkit.net/providers/decodephp) [online] (subscription): Professional IonCube decoder supporting versions 10 through 15 with PHP 7.1 to 8.4. Upload encrypted PHP files and get readable source code back.
- [GhostKit](https://ghostkit.net/providers/ghostkit) [online] (free): A curated directory and browser-based toolkit for security researchers. GhostKit combines 14+ client-side tools — JS deobfuscation, encoding/decoding, URL analysis, email header parsing, hash generation, JWT/SAML decoding, and more — with a comprehensive directory of external security tools.
- [de4js](https://ghostkit.net/providers/de4js) [online] (free): Browser-based JavaScript deobfuscator supporting 15+ formats including JSFuck, obfuscator.io, and packed code.
- [JS NICE](https://ghostkit.net/providers/js-nice) [online] (free): Statistical renaming and type inference for JavaScript.
- [Obfuscator.io Deobfuscator](https://ghostkit.net/providers/obfuscator-io-deobfuscator) [online] (free): Specialized reverser for obfuscator.io encoded JavaScript. Handles string arrays, control flow, and dead code.
- [Restringer](https://ghostkit.net/providers/restringer) [cli] (free): Automatic JavaScript deobfuscation with 40+ modules. Handles obfuscator.io, Caesar Plus, and custom patterns.
- [UnPHP](https://ghostkit.net/providers/unphp) [online] (free): Automated PHP decoder for nested eval/base64 obfuscation. Handles 80+ layers of encoding automatically.

### PHP & WordPress Security

- [DecodePHP](https://ghostkit.net/providers/decodephp) [online] (subscription): Professional IonCube decoder supporting versions 10 through 15 with PHP 7.1 to 8.4. Upload encrypted PHP files and get readable source code back.
- [PHP Sandbox](https://ghostkit.net/providers/php-sandbox) [online] (free): Test PHP code across 5 versions simultaneously. From PHP 4.0 to 8.4, see exactly how your code behaves.
- [Shield MAL{ai}](https://ghostkit.net/providers/shield-malai) [online] (free): AI-powered PHP malware detection. Learns from new samples to catch threats signatures miss.
- [Sucuri SiteCheck](https://ghostkit.net/providers/sucuri-sitecheck) [online] (free): Free remote website malware scanner. Checks blacklists, detects infections, and identifies outdated software.
- [UnPHP](https://ghostkit.net/providers/unphp) [online] (free): Automated PHP decoder for nested eval/base64 obfuscation. Handles 80+ layers of encoding automatically.
- [WPScan](https://ghostkit.net/providers/wpscan) [cli] (subscription): The WordPress vulnerability database. 70,000+ CVEs for core, plugins, and themes—with CLI scanner and API.

### Web Code Analysis

- [CyberChef](https://ghostkit.net/providers/cyberchef) [online] (free): The cyber Swiss Army knife. Drag-and-drop operations into recipes for encoding, decoding, encryption, and data analysis—all in your browser.
- [GhostKit](https://ghostkit.net/providers/ghostkit) [online] (free): A curated directory and browser-based toolkit for security researchers. GhostKit combines 14+ client-side tools — JS deobfuscation, encoding/decoding, URL analysis, email header parsing, hash generation, JWT/SAML decoding, and more — with a comprehensive directory of external security tools.
- [de4js](https://ghostkit.net/providers/de4js) [online] (free): Browser-based JavaScript deobfuscator supporting 15+ formats including JSFuck, obfuscator.io, and packed code.
- [Hybrid Analysis](https://ghostkit.net/providers/hybrid-analysis) [online] (free): Free malware sandbox powered by CrowdStrike Falcon. Upload files up to 250MB for behavioral analysis and threat detection.
- [URLScan.io](https://ghostkit.net/providers/urlscan-io) [online] (free): A sandbox for the web. Scan URLs and see every request, cookie, and DOM element—with screenshots from 20+ countries.
- [VirusTotal](https://ghostkit.net/providers/virustotal) [online] (free_trial): Scan files and URLs against 70+ antivirus engines. The definitive multi-engine malware check.

### Browser Extension Analysis

- [ExtAnalysis](https://ghostkit.net/providers/extanalysis) [cli] (free): Open-source browser extension analysis framework. Scan Chrome, Firefox, and Brave extensions for vulnerabilities.
- [Extension Source Viewer](https://ghostkit.net/providers/extension-source-viewer) [online] (free): View source of any Chrome, Firefox, or Opera extension without installing. Download as ZIP, search files, preview code.
- [Spin.AI Browser Extension Risk Assessment](https://ghostkit.net/providers/spinai-browser-risk) [online] (free): AI-powered browser extension risk scoring. Analyze 400,000+ extensions across Chrome, Edge, Safari, and Firefox.

### HTTP Traffic Interception

- [Burp Suite](https://ghostkit.net/providers/burp-suite) [desktop] (free_trial): The Swiss Army knife of web exploitation. From intercepting and modifying live traffic to automating custom injection attacks, Burp Suite is the central hub for modern web security research.
- [HTTP Toolkit](https://ghostkit.net/providers/http-toolkit) [desktop] (free_trial): Open-source HTTP debugger with one-click interception. Inspect and modify traffic from browsers, apps, and Docker.
- [mitmproxy](https://ghostkit.net/providers/mitmproxy) [cli] (free): Free Python-powered HTTPS proxy. Script traffic manipulation with Python, or use the web UI.
- [Charles Proxy](https://ghostkit.net/providers/charles-proxy) [desktop] (free_trial): The developer's best friend for debugging HTTP traffic. Charles sits between your app and the internet, letting you inspect, modify, and simulate network conditions with surgical precision.
- [Fiddler](https://ghostkit.net/providers/fiddler) [desktop] (free): Web debugging proxy trusted by 4 million developers. Now with Fiddler Everywhere for cross-platform support.
- [Proxyman](https://ghostkit.net/providers/proxyman) [desktop] (free_trial): Modern HTTP debugging proxy for macOS, iOS, and Android. Native app with one-click SSL setup and GraphQL support.

### Email & Phishing Analysis

- [GhostKit](https://ghostkit.net/providers/ghostkit) [online] (free): A curated directory and browser-based toolkit for security researchers. GhostKit combines 14+ client-side tools — JS deobfuscation, encoding/decoding, URL analysis, email header parsing, hash generation, JWT/SAML decoding, and more — with a comprehensive directory of external security tools.
- [Hybrid Analysis](https://ghostkit.net/providers/hybrid-analysis) [online] (free): Free malware sandbox powered by CrowdStrike Falcon. Upload files up to 250MB for behavioral analysis and threat detection.
- [URLScan.io](https://ghostkit.net/providers/urlscan-io) [online] (free): A sandbox for the web. Scan URLs and see every request, cookie, and DOM element—with screenshots from 20+ countries.
- [VirusTotal](https://ghostkit.net/providers/virustotal) [online] (free_trial): Scan files and URLs against 70+ antivirus engines. The definitive multi-engine malware check.
- [MxToolbox Header Analyzer](https://ghostkit.net/providers/mxtoolbox-header-analyzer) [online] (free): RFC 822 email header parser showing hop delays, routing path, and authentication results.
- [EasyDMARC Analyzer](https://ghostkit.net/providers/easydmarc-analyzer) [online] (free): Email header analyzer with SPF/DKIM/DMARC validation, blacklist checking, and SpamAssassin scoring.
- [PhishTool](https://ghostkit.net/providers/phishtool) [online] (free_trial): Forensic phishing email analysis platform. Parse headers, links, and attachments at scale.
- [Message Header Analyzer (Microsoft)](https://ghostkit.net/providers/microsoft-mha) [online] (free): Microsoft official email header analyzer. Identifies delivery delays and pinpoints responsible servers.
- [Wannabrowser](https://ghostkit.net/providers/wannabrowser) [online] (free): View websites as any browser or device. Detect user-agent based cloaking without visiting suspicious URLs.
- [Email Header Analyzer (Google Admin)](https://ghostkit.net/providers/google-header-analyzer) [online] (free): Google official email header analyzer from Admin Toolbox. Shows hop-by-hop routing with normalized timestamps.

### Web3 Security

- [GhostKit](https://ghostkit.net/providers/ghostkit) [online] (free): A curated directory and browser-based toolkit for security researchers. GhostKit combines 14+ client-side tools — JS deobfuscation, encoding/decoding, URL analysis, email header parsing, hash generation, JWT/SAML decoding, and more — with a comprehensive directory of external security tools.
- [Slither](https://ghostkit.net/providers/slither) [cli] (free): Static analysis framework for Solidity and Vyper smart contracts with 90+ built-in vulnerability detectors, running in under one second per contract.
- [Mythril](https://ghostkit.net/providers/mythril) [cli] (free): Symbolic execution engine for EVM bytecode that detects vulnerabilities like reentrancy and integer overflows by exploring multiple execution paths via SMT solving.
- [De.Fi Scanner](https://ghostkit.net/providers/defi-scanner) [online] (free): Browser-based smart contract scanner and DeFi security platform that checks tokens for rug pull indicators and vulnerability risk scores across 50+ blockchains.
- [Chainalysis Reactor](https://ghostkit.net/providers/chainalysis-reactor) [online] (subscription): Enterprise-grade blockchain forensics platform that traces cryptocurrency transactions across 27+ blockchains, identifying real-world entities and following funds through mixers, bridges, and DEXs.
- [Forta Network](https://ghostkit.net/providers/forta-network) [online] (free_trial): Decentralized real-time security and compliance network that monitors on-chain activity, blocking malicious transactions with sub-10ms latency and over 99% recall.
- [SolidityScan](https://ghostkit.net/providers/solidityscan) [online] (free_trial): Automated Solidity vulnerability scanner that generates detailed PDF audit reports, with a free QuickScan rug pull detector and VS Code plugin for real-time feedback.

## Security Techniques (22 reference pages)

- [Base64 Decoding for Security Analysis](https://ghostkit.net/techniques/base64-decoding): How to decode Base64-encoded payloads found in malware, phishing kits, and obfuscated scripts. Detect hidden URLs, credentials, and executable code.
- [URL Encoding and Decoding for Security](https://ghostkit.net/techniques/url-encoding-decoding): Decode percent-encoded URLs to reveal hidden paths, parameters, and payloads. Detect double-encoding attacks and URL-based injection attempts.
- [Hex Encoding in Malware and Obfuscated Code](https://ghostkit.net/techniques/hex-encoding-decoding): Decode hex-encoded strings in malware samples, obfuscated JavaScript, and network traffic. Identify file signatures by magic bytes.
- [HTML Entity Encoding in XSS and Phishing](https://ghostkit.net/techniques/html-entity-decoding): Decode HTML entities used to obfuscate XSS payloads, phishing page content, and malicious scripts embedded in web pages.
- [JavaScript Deobfuscation Techniques](https://ghostkit.net/techniques/javascript-deobfuscation): How to deobfuscate JavaScript malware, phishing scripts, and browser exploits. Reverse eval packing, string rotation, array shuffling, and control flow flattening.
- [Unpacking eval() in Malicious JavaScript](https://ghostkit.net/techniques/eval-unpacking): How to unpack eval-wrapped JavaScript used in malware droppers, exploit kits, and obfuscated phishing scripts. Safe techniques for revealing hidden code.
- [Decoding String.fromCharCode in Malicious Scripts](https://ghostkit.net/techniques/string-fromcharcode-decoding): Reverse String.fromCharCode obfuscation used in JavaScript malware and XSS payloads. Convert character code arrays back to readable strings.
- [PHP eval(base64_decode()) Malware Patterns](https://ghostkit.net/techniques/php-eval-base64-malware): Identify and decode PHP webshells and backdoors that use eval(base64_decode()). Common patterns in WordPress hacks, file upload exploits, and server compromises.
- [Content Security Policy (CSP) Analysis](https://ghostkit.net/techniques/content-security-policy): How to analyze and audit Content-Security-Policy headers. Detect unsafe-inline, unsafe-eval, wildcard sources, and other misconfigurations that enable XSS.
- [CORS Misconfigurations and Security Risks](https://ghostkit.net/techniques/cors-misconfiguration): Detect dangerous CORS configurations: wildcard origins with credentials, reflected origins, null origin attacks, and overly permissive access-control headers.
- [Cookie Security Flags: Secure, HttpOnly, SameSite](https://ghostkit.net/techniques/cookie-security-flags): Audit cookie security attributes. Detect session cookies missing Secure, HttpOnly, or SameSite flags that enable session hijacking and CSRF attacks.
- [HTTP Security Headers Checklist](https://ghostkit.net/techniques/http-security-headers): Review HTTP response headers for security misconfigurations. Check for missing HSTS, X-Content-Type-Options, X-Frame-Options, and information leaks in Server headers.
- [Email Header Analysis for Phishing Investigation](https://ghostkit.net/techniques/email-header-analysis): Parse email headers to trace message origin, verify SPF/DKIM/DMARC authentication, and detect spoofed sender addresses in phishing emails.
- [Shannon Entropy for Detecting Encrypted and Obfuscated Data](https://ghostkit.net/techniques/shannon-entropy-analysis): Use Shannon entropy to identify encrypted files, compressed data, obfuscated code, and packed malware. High entropy means hidden content.
- [EXIF Metadata Extraction and Privacy Risks](https://ghostkit.net/techniques/exif-metadata-extraction): Extract EXIF metadata from images to find GPS coordinates, camera details, timestamps, and software used. Understand the privacy risks of embedded photo metadata.
- [Regex Patterns for Extracting IOCs](https://ghostkit.net/techniques/regex-ioc-extraction): Regular expression patterns for extracting indicators of compromise: IP addresses, domains, hashes, URLs, email addresses, and Bitcoin wallets from security logs and reports.
- [SSL/TLS Certificate Inspection and Verification](https://ghostkit.net/techniques/ssl-certificate-inspection): Decode and inspect X.509 certificates. Check validity, issuer chain, Subject Alternative Names, key strength, and detect expired or self-signed certificates.
- [JWT Token Analysis and Security Pitfalls](https://ghostkit.net/techniques/jwt-token-analysis): Decode and inspect JSON Web Tokens. Detect algorithm confusion attacks, missing signature verification, excessive claims, and insecure token storage.
- [SAML Response Decoding and SSO Security](https://ghostkit.net/techniques/saml-response-decoding): Decode Base64-encoded SAML responses and assertions. Inspect issuer, audience, conditions, and authentication context in SSO flows.
- [Hash Identification and Verification](https://ghostkit.net/techniques/hash-identification): Identify hash types by length and format: MD5, SHA-1, SHA-256, SHA-512, bcrypt, and more. Use hashes for file integrity verification and IOC matching.
- [Detecting Phishing URLs: Indicators and Techniques](https://ghostkit.net/techniques/url-phishing-detection): Analyze URLs for phishing indicators: typosquatting, homoglyph attacks, suspicious subdomains, URL shortener abuse, and credential harvesting parameters.
- [Homoglyph and IDN Homograph Attack Detection](https://ghostkit.net/techniques/homoglyph-detection): Detect Unicode homoglyph attacks in domain names and text. Identify Cyrillic, Greek, and other look-alike characters used for phishing and impersonation.
- [IP Address and CIDR Subnet Analysis](https://ghostkit.net/techniques/ip-subnet-analysis): Parse IP addresses, calculate subnet ranges, identify private/reserved networks, and expand CIDR notation for firewall rules and network forensics.
- [Decoding EVM Transaction Calldata](https://ghostkit.net/techniques/decoding-evm-calldata): Read Ethereum transaction calldata to identify which function is being called, what parameters were passed, and whether the transaction does what the UI claims.
- [Detecting Token Approval Phishing in Calldata](https://ghostkit.net/techniques/approval-phishing-detection): Spot malicious approve(), permit(), and setApprovalForAll() calls before signing. Learn the calldata patterns wallet drainers use to empty wallets in a single signature.
- [Reverse Lookup of EVM Function Selectors](https://ghostkit.net/techniques/function-selector-lookup): Identify unknown 4-byte function selectors by computing keccak256 of candidate signatures. Useful when reading calldata against unverified contracts.
- [Decoding Raw RLP-Encoded Ethereum Transactions](https://ghostkit.net/techniques/raw-transaction-analysis): Parse signed and unsigned Ethereum transactions in RLP form. Inspect nonce, gas, value, chain ID, and signature fields across Legacy, EIP-2930, and EIP-1559 transaction types.
- [Reading Smart Contract Calldata for Honeypot Indicators](https://ghostkit.net/techniques/smart-contract-honeypot-indicators): Use calldata decoding and selector lookups to spot honeypot contracts before interacting. Identify hidden fees, transfer-blocking logic, and admin backdoors without running the contract.

## Learn - Security Investigation Course

- [Analyzing Suspicious URLs](https://ghostkit.net/learn/analyzing-suspicious-urls): Learn to spot URL red flags, choose passive vs active analysis, and use the right scanning tools.
- [Deobfuscating JavaScript](https://ghostkit.net/learn/deobfuscating-javascript): Understand common obfuscation techniques and map them to the right deobfuscation tools.
- [Investigating Phishing Emails](https://ghostkit.net/learn/investigating-phishing-emails): Analyze email headers, verify SPF/DKIM/DMARC, and trace the origin of suspicious messages.
- [Decoding PHP Malware](https://ghostkit.net/learn/decoding-php-malware): Recognize layered encoding patterns in PHP backdoors and decode them safely.
- [Building a Security Workflow](https://ghostkit.net/learn/building-a-security-workflow): Combine tools into repeatable investigation pipelines for common security scenarios.

## MCP Server

36 security tools available via Model Context Protocol (Streamable HTTP, spec 2025-06-18). Compatible with Claude, Cursor, Windsurf, and any MCP client.
Endpoint: https://ghostkit.net/api/mcp
Auth: X-API-Key header (or Authorization: Bearer gk_...)
Setup docs: https://ghostkit.net/mcp

## URL Scanner (Recon)

Multi-phase async URL analysis at /recon. Checks HTTP headers, DNS, WHOIS, TLS certificates, threat intelligence feeds, source code, phishing indicators, and JavaScript obfuscation. Produces a risk score from 0-100.

## API Access

REST API with API key authentication (X-API-Key header). Endpoints:
- POST /api/scans - Submit URL for scanning
- GET /api/scans/:id - Get scan results
- POST /api/mcp - MCP Streamable HTTP endpoint (JSON-RPC 2.0)