All your investigation tools, in one tab.

JWT decoders, URL scanners, deobfuscators, and an MCP server so Claude or Cursor work the same toolbox. All local, all free.

Unlock ghostkit+ Browse the directory

39 browser tools 36 MCP tools 22 technique pages 36+ providers

ghostkit+

Sign in once, four products open up.

Sign in with Google →

Toolkit

39 browser-based security tools. Decode Base64, inspect JWTs, deobfuscate JavaScript, generate hashes, test regex, and more. Everything runs locally, nothing leaves your browser.

Decode Inspect Format Crypto Web3

URL Recon

Scan any URL for security threats. Analyzes HTTP headers, DNS records, WHOIS data, source code patterns, and threat intelligence feeds. Get a 0-100 risk score in seconds.

Scan a URL →

Learn

A five-part security investigation course. URL analysis, JavaScript deobfuscation, phishing takedown, malware inspection, and writing it all up. The chapters link back to the right toolkit pages, so you're always one click from trying it.

Basic Advanced

Start learning →

BASIC COURSE

1 Analyzing Suspicious URLs

2 Deobfuscating JavaScript

3 Investigating Phishing

4 PHP Malware

5 Security Workflows

ADVANCED PLAYBOOKS

Suspicious JavaScript

MCP Server

36 security tools your AI can call mid-conversation. Give Claude, Cursor, or any MCP client access to the full toolkit. Decode, hash, inspect, and analyze without switching tabs.

Connect to your AI →

user: decode this JWT

claude: Using gk_jwt_decoder...

alg: RS256, sub: auth0|645f

Expiry: Valid (12d left)

user: check the CSP header too

claude: Using gk_csp_analyzer...

Grade: B (75/100)

unsafe-inline detected

One

sign-in.

Everything

opens.

Security work is fragmented enough already. You have a JWT decoder bookmarked, a header checker open in another tab, a regex tester in a third, and a deobfuscator you only trust because you read its source last year.

ghostkit+ is the consolidation. Same tools, one surface. Nothing leaves your browser unless you explicitly ask. The scanner does the server-side work. The MCP server pipes it all into your AI. The course shows you the thread that connects them.

Free forever. One account. No upsell lurking in the footer.

Free & open

No account needed for these.

Reference material and directories that live outside the gate, indexed by search engines, linkable everywhere.

Providers

Curated directory of external security tools and vendors. Side-by-side comparisons, pricing, strengths, weaknesses.

36+ tools indexed across code analysis, malware sandbox, URL scan, and more.

Browse the directory →

Techniques

22 reference pages. Base64 decoding, JS deobfuscation, CSP analysis, phishing detection, each one explaining the actual thing, not the buzzword.

Every page links to a hands-on toolkit tool.

Read the reference →

Security Jobs

European cybersecurity job board. Pentesting, SOC, DevSecOps, cloud security, and AppSec. Aggregated from multiple sources, updated daily.

AI-estimated salary ranges where missing.

Browse jobs →

39

Browser tools

36

MCP tools

22

Technique pages

36+

External providers

For normal humans. Because it can be better.

Google sign-in, no credit card, no onboarding. You're through the gate in about four seconds.

Unlock ghostkit+ Sign in with Google

Feature
Type
Pricing
Platforms
Description