A tool to extract patterns of interest from malicious files, including IP addresses, URLs, embedded files, and typical malware strings. It is easily extensible with new patterns, regular expressions, and YARA rules.
A breach parser is a specialized script or software designed to organize, index, and search through massive datasets originating from data breaches. Instead of manually scrolling through a 100GB text file, a parser allows a user to instantly find specific information, such as all passwords associated with a particular domain or every leak tied to a specific email address. Most breach parsers work by:
It identifies email structures: ^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]2,$
Learn how to securely audit your company's domain using . Share public link breach parser
Built out of frustration with ransomware leaks that existing tools ignored, HIBR crawls ransomware gang leak sites, downloads the chaos, and uses OCR combined with LLMs to sift through scanned IDs, contracts, and HR PDFs. It processes unzipped files, runs OCR over images, extracts text, and feeds it to an LLM trained to recognize personal data patterns. The tool provides a frontend that lets users search for email addresses or IDs without exposing the raw data.
A popular wrapper script used frequently in the TCM Security community. It is designed to work with the "Compilation of Many Breaches" (COMB) and offers a simple CLI for searching localized data.
: You can search for an entire company domain (e.g., @example.com ) to see all leaked corporate accounts or a specific user's email. 3. Analyzing the Results A tool to extract patterns of interest from
The breach parser landscape is rapidly evolving with AI integration. Machine learning algorithms substantially improve detection precision, scalability, and response speed compared with human‑driven and rule‑based approaches. LLMs reduce the need for complex custom parsers, enabling more natural interaction with security data and accelerating parser development.
Detecting cryptographic patterns (e.g., 32-character MD5 strings, 40-character SHA-1 strings, or complex bcrypt structures). Plaintext Passwords: Separating credentials from usernames.
A threat management solution that extracts Indicators of Compromise from security reports in PDF format, designed to help security teams with IOC, APT, and threat intelligence management. Instead of manually scrolling through a 100GB text
A breach parser sifts through this digital noise. It acts as an automated sorting machine, extracting specific data points and reorganizing them into clean, highly structured formats that threat actors can easily use. How Breach Parsers Work: The Anatomy of the Process
Once the data is cleaned and split into distinct fields (e.g., Email | Plaintext | Hash | Source ), the parser serializes the data. It writes the clean output into a high-performance database optimized for large-scale text searches, such as Elasticsearch, MongoDB, PostgreSQL, or specialized flat-file indexing systems. The Architecture: Why Speed and Memory Management Matter
The breach-parse tool is designed for speed, allowing users to search through massive files on a local machine (ideally an SSD) to quickly identify compromised credentials.