Cheat Sheet · Free Reference
Regex Cheat Sheet
Complete regular expression reference with syntax, quantifiers, character classes, groups, lookaheads, and real-world patterns.
Searchable, copyable, always up to date.
Basics
Fundamental regex metacharacters and their meanings.
| Pattern | Description | Example | Matches |
|---|---|---|---|
. | Any character except newline | a.c | abc, a1c, a-c |
\ | Escape special character | \. | Literal dot |
| | Alternation (OR) | cat|dog | cat, dog |
\n | Newline | ||
\r | Carriage return | ||
\t | Tab | ||
\0 | Null character |
Quantifiers
Control how many times a pattern is matched. Greedy by default, add ? for lazy.
| Pattern | Description | Example | Matches |
|---|---|---|---|
* | 0 or more (greedy) | ab*c | ac, abc, abbc |
*? | 0 or more (lazy) | a.*?b | Shortest match |
+ | 1 or more (greedy) | ab+c | abc, abbc (not ac) |
+? | 1 or more (lazy) | a.+?b | Shortest match |
? | 0 or 1 (optional) | colou?r | color, colour |
{n} | Exactly n times | \d{4} | 1234, 5678 |
{n,} | n or more times | \d{2,} | 12, 123, 1234 |
{n,m} | Between n and m times | \d{2,4} | 12, 123, 1234 |
Character Classes
Match specific sets of characters.
| Pattern | Description | Equivalent |
|---|---|---|
[abc] | Any one of a, b, or c | |
[^abc] | Not a, b, or c | |
[a-z] | Any lowercase letter | |
[A-Z] | Any uppercase letter | |
[0-9] | Any digit | \d |
\d | Digit | [0-9] |
\D | Non-digit | [^0-9] |
\w | Word character | [a-zA-Z0-9_] |
\W | Non-word character | [^a-zA-Z0-9_] |
\s | Whitespace | [ \t\n\r\f\v] |
\S | Non-whitespace | [^ \t\n\r\f\v] |
Anchors & Boundaries
Match positions, not characters.
| Pattern | Description | Example |
|---|---|---|
^ | Start of string (or line with m flag) | ^Hello |
$ | End of string (or line with m flag) | world$ |
\b | Word boundary | \bword\b |
\B | Non-word boundary | \Bword\B |
Groups & Backreferences
Capture matched text for reuse or create sub-patterns.
| Pattern | Description | Example |
|---|---|---|
(...) | Capturing group | (ab)+ matches ababab |
(?:...) | Non-capturing group | (?:ab)+ (no capture) |
(?<name>...) | Named capturing group | (?<year>\d{4}) |
\1 | Backreference to group 1 | (\w+)\s\1 matches "the the" |
\k<name> | Named backreference | \k<year> |
Lookahead & Lookbehind
Zero-width assertions that check what comes before or after without consuming characters.
| Pattern | Description | Example | Matches |
|---|---|---|---|
(?=...) | Positive lookahead | \d+(?= USD) | "100" in "100 USD" |
(?!...) | Negative lookahead | \d+(?! USD) | "100" in "100 EUR" |
(?<=...) | Positive lookbehind | (?<=\$)\d+ | "50" in "$50" |
(?<!...) | Negative lookbehind | (?<!\$)\d+ | "50" in "EUR50" |
Flags / Modifiers
Change how the regex engine interprets the pattern.
| Flag | Name | Description |
|---|---|---|
g | Global | Find all matches, not just the first |
i | Case-insensitive | Match upper and lowercase as equivalent |
m | Multiline | ^ and $ match start/end of each line |
s | DotAll / Single-line | . matches newlines too |
u | Unicode | Enable full Unicode matching |
y | Sticky | Match only from lastIndex position |
Common Patterns for Security Analysts
Ready-to-use regex patterns for IOC extraction, log parsing, and threat analysis.
| What | Pattern | Notes |
|---|---|---|
| IPv4 address | \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b | Basic, no octet validation |
| IPv4 (strict) | \b(?:(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.){3}(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\b | Validates 0-255 octets |
| Email address | [\w.+-]+@[\w.-]+\.\w{2,} | Covers most real emails |
| URL (http/https) | https?://[^\s<>"']+ | Simple URL extraction |
| Domain name | \b(?:[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?\.)+[a-z]{2,}\b | With flag i |
| MD5 hash | \b[a-fA-F0-9]{32}\b | 32 hex characters |
| SHA-1 hash | \b[a-fA-F0-9]{40}\b | 40 hex characters |
| SHA-256 hash | \b[a-fA-F0-9]{64}\b | 64 hex characters |
| MAC address | \b(?:[0-9A-Fa-f]{2}[:-]){5}[0-9A-Fa-f]{2}\b | AA:BB:CC:DD:EE:FF |
| CVE ID | CVE-\d{4}-\d{4,} | CVE-2024-12345 |
| Base64 string | [A-Za-z0-9+/]{20,}={0,2} | Min 20 chars to avoid false positives |
| Windows file path | [A-Z]:\\(?:[^\\\/:*?"<>|]+\\)*[^\\\/:*?"<>|]* | C:\Users\file.exe |
| Unix file path | (?:/[^\s/]+)+ | /usr/local/bin/malware |
| MITRE ATT&CK ID | T\d{4}(?:\.\d{3})? | T1059, T1059.001 |
Test your regex live
Use our free Regex Tester with real-time matching, capture groups, and highlighted preview.
Frequently Asked Questions
A regular expression (regex) is a pattern that describes a set of strings. It's used in virtually every programming language for text search, validation, extraction, and replacement. Regex is essential for security analysts (IOC extraction, log parsing) and developers (input validation, data transformation).
Greedy quantifiers (
*, +, {n,}) match as many characters as possible. Lazy quantifiers (*?, +?, {n,}?) match as few as possible. For example, in <b>foo</b><b>bar</b>, the pattern <b>.*</b> matches the entire string (greedy), while <b>.*?</b> matches only <b>foo</b> (lazy).A basic IPv4 regex is
\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b. For stricter validation (each octet 0-255), use the pattern in the "Common Patterns" section. You can also use our IOC Extractor or Regex Tester to test patterns live.Lookaheads
(?=...) and lookbehinds (?<=...) are zero-width assertions that match a position without consuming characters. They let you assert that certain text exists before or after your match without including it in the result. Negative versions (?!...) and (?<!...) assert the text does NOT exist.