Tools

Quick helpers for IPs, ports, and layers.

These little utilities are here to answer the kinds of questions I get from teammates and customers all the time: “what does this subnet mean?”, “is this port normal?”, and how everything lines up in the OSI model.

Network & security helpers

Everything on this page runs purely in your browser. No data is sent anywhere — it's just JavaScript doing math and lookups.

Subnet / CIDR helper

Type an IPv4 CIDR (for example 10.0.5.0/24) to see the network, broadcast, mask, and usable host range.

Enter a CIDR above to calculate details.

“Why is this port open?”

Pick a common port to see what it's usually used for and how I think about securing it on a firewall or edge device.

Select a port to see details.

OSI model, layer by layer

Click a layer to see how I think about it from a cybersecurity and CISO perspective.

Select a layer to see details.

Crypto cheat: quick hashes

Generate MD5, SHA-1, or SHA-256 for a string or IOC. This is for integrity checks and quick lookups — not for password storage.

Choose an algorithm and generate a hash — all in your browser.

JWT decoder (header & payload)

Paste a JSON Web Token to quickly see the header and payload fields, algorithm, and key id. No secrets or signatures are touched.

Paste a JWT above to decode the header and payload (no verification).

OSINT & incident response quick reference

These notes are here for the “what should I look at next?” moments during investigations — artifact locations, log sources, and fast triage prompts.

Common artifact locations

Places I usually check first for evidence across Windows, Linux, and macOS.

  • Windows: Event Viewer (Security, System, Application), %ProgramData%, %AppData%, startup items, scheduled tasks, services, and registry run keys.
  • Linux: /var/log/*, ~/.ssh/authorized_keys, /etc/ssh/sshd_config, cron jobs (crontab -l, /etc/cron.*), and systemd units.
  • macOS: Console logs, /var/log/, launch agents/daemons (/Library/LaunchAgents, /Library/LaunchDaemons, ~/Library/LaunchAgents), and login items.

High-value log sources

Logs that usually give the most signal per minute when you're triaging.

  • Identity: auth logs (AD, AAD, IdP), MFA events, password resets, role changes.
  • Endpoint: EDR alerts, process creation logs, new binaries, persistence changes, USB / removable media activity.
  • Network: firewall and proxy logs, VPN connections, DNS logs, unusual egress (new destinations or protocols).
  • Cloud: control-plane audit logs, config changes, new keys/tokens, and new public exposures (buckets, security groups, IPs).

Incident triage checklists

Fast, non-exhaustive prompts for the first 30–60 minutes of an incident.

  • Web app incident: identify affected endpoints, confirm auth model, review WAF and app logs, check for mass exploitation, and verify backups / roll-back options.
  • Endpoint malware: isolate the host, capture volatile data if possible, review recent processes, autoruns, network connections, and hunt for similar IOCs.
  • Phishing: collect original email, links, and attachments; see who clicked or entered credentials; reset credentials; review login history and mail rules for affected accounts.