All tools
Security tools

Entropy Analyzer

Calculate Shannon entropy to detect encoded, encrypted or obfuscated strings. Find high-entropy anomalies in log files, source code and environment variables.

Shannon entropy Line-by-line mode Base64 detection Hex detection JWT detection 50K char limit
Get started free Sign in

Free · No credit card · 50 credits/day

Entropy thresholds

Bits per character — higher means more unpredictable and uniform character distribution.

0 – 3.5 bits Low entropy

Natural language, structured config files, CSV data, XML. Characters repeat predictably.

Hello, world! → 3.18 username=admin → 2.92 SELECT * FROM users → 3.4
3.5 – 4.5 bits Medium entropy

Possibly obfuscated or lightly encoded. Typical of CamelCase identifiers, phone numbers, UUIDs.

getUserByEmail → 3.81 a1b2c3d4-e5f6 → 4.0 myP@ssw0rd! → 3.9
4.5 – 7.5 bits High entropy — suspect

Likely encrypted, Base64-encoded, compressed or a cryptographic hash/key. Investigate further.

SGVsbG8gV29ybGQ= → 5.54 (Base64) sk_live_abc123xyz → 5.1 eyJhbGciOiJIUzI1... → 5.7 (JWT)
7.5 – 8.0 bits Near-random / binary

Raw binary data, compressed output, strong encryption ciphertext. Virtually uniform distribution.

Random 32-byte key → 7.8+ AES-256 ciphertext → ~8.0 gzip compressed → 7.5+

Security research use cases

🔍
Detect hardcoded secrets

Paste environment variables or config files and check for high-entropy strings that could be API keys, private keys or passwords accidentally committed to version control.

🦠
Malware triage

Obfuscated malware often stores encrypted payloads as high-entropy string literals. Run the line-by-line mode on suspicious code to locate the encoded payload.

📋
Log file anomaly detection

Paste log lines and sort by entropy. Encoded exfiltration traffic, injected tokens and obfuscated commands show up as statistical outliers among normal low-entropy log data.

🔑
Verify key randomness

A generated API key or secret should score near 6 bits/char (Base62 charset). Lower scores suggest weak generation — sequential IDs, timestamps or predictable patterns.

🧪
CTF challenges

When given an unknown string in a CTF, entropy is the fastest first step — it tells you immediately whether you're dealing with ciphertext, encoding, or plaintext.

📦
Compression detection

Near-random entropy (7.5+) in a file or string may indicate gzip, zlib or brotli compressed data stored as a raw byte sequence.

Frequently asked questions

What is Shannon entropy?

Shannon entropy measures the unpredictability of a string — how many bits of information are needed per character. Low entropy (0–3.5) means structured text like natural language. High entropy (4.5+) suggests encoding, encryption or compression where characters are more uniformly distributed.

Why measure entropy in security research?

Malware often hides payloads as Base64-encoded or encrypted blobs inside normal-looking strings. High-entropy strings in source code, logs or environment variables are a red flag for hardcoded secrets, encrypted payloads or obfuscated code. Entropy analysis is a quick triage step before deeper investigation.

What entropy level indicates encrypted or encoded content?

Below 3.5 bits = low (natural language). 3.5–4.5 = medium (possibly obfuscated). 4.5–7.5 = high (likely encrypted, encoded or compressed). Above 7.5 = near-random (binary/compressed). A Base64 string typically scores around 5.5–6 bits.

Related tools

More tools for encoding and security analysis.

Base64 Decoder

Decode Base64 strings — confirm what high-entropy Base64 content contains.

Hash Generator

Generate MD5, SHA-256 and other hashes to compare entropy characteristics.

JWT Decoder

Decode JWT tokens — high-entropy strings starting with "ey" are often JWTs.

Analyze a string now

Free account. 50 credits per day. Access to 75+ tools instantly.

Create free account →