Censys - Find and analyze any server and device on the Internet

What is Censys?

Censys was created in 2015 at the University of Michigan, by the security researchers who developed ZMap, the most widely used tool for Internet-wide scanning. So, Censys is a platform that helps information security practitioners discover, monitor, and analyze devices that are accessible from the Internet. Censys regularly probe every public IP address and popular domain names, curate and enrich the resulting data, and make it intelligible through an interactive search engine and API.

What is use of Censys?

Enterprises use Censys to understand their network attack surfaces. CERTs and security researchers use it to discover new threats and assess their global impact. From the creators of ZMap, the leading Internet-wide scanner, censys mission is to make security be driven by data.

How to use Censys?

Censys maintains three datasets through daily ZMap scans of the Internet and by synchronizing with public certificate transparency logs:

You can search for records that meet certain criteria (e.g., IPv4 hosts of, or browser trusted certificates for, generate reports on how websites are configured (e.g., what cipher suites are chosen by popular websites?), and track how networks have patched over time.

Censys also post all of thier raw data, provide programmatic access through a REST API, and publish reports on protocol deployment and the supporting PKI.

1. Simple Search

If you simply search for a word or phrase, Censys will return any records that contain the phrase. For example, searching for google will return any records that contain the word google. Searching for will return all hosts in that network. Here are some simple search example -

2. Advanced Search

Censys data is structured and supports more advanced queries including searching specific fields, specifying ranges of values, and boolean logic. For example, you can search for hosts with the HTTP Server Header "Apache" in India by running the query 80.http.get.headers.server: Apache and location.country_code: IN.

2.1 Specifying Fields

Censys records are structured and allow querying specific fields. For example, you can search for all hosts with a specific HTTP status code with the following query: 80.http.get.status_code: 200. You can view a list of defined fields under the Data Definitions tab or by looking at the details of a host. For example, here are the fields for one of Google web server.

2.2 Boolean Logic

You can compose multiple statements using the terms and, or, not, and parentheses. For example, (Jio or BSNL) and By default, all included terms are optional (i.e., executed as an or statement).

2.3 Networks, Host Names, and Protocols

You can search for IP addresses using CIDR notation (e.g., ip: or by specifying a range of addresses: ip:[ TO]. You can search for hosts that serve a particular protocol by searching the protocols field, e.g., protocols: "102/s7". Inline DNS queries are possible with the following syntax: and

2.4 Ranges

You can search for ranges of numbers using [ and ] for inclusive ranges and { and } for exclusive ranges. For example, 80.http.get.status_code:[200 TO 300]. Dates should be formatted using the following syntax: [2012-01-01 TO 2012-12-31]. One sided limits can also be specified: [2012-01-01 TO *].

2.5 Wildcards and Regular Expressions

By default, Censys searches for complete words. In other words, the search BSN will not return records that contain the word BSNL. Wildcard searches can be run on individual terms, using ? to replace a single character, and * to replace zero or more characters. For example, if you want to search for words that start with BSN, you would search for BSN*. You can also search using regular expressions, e.g., metadata.manufacturer:/BS[ll]/. You can find the full regex syntax here.

2.6 Boosting

The boost operator (^) can be used to make one term more relevant than another. For example, metadata.manufacturer: BSNL^2 OR Jio places more preference on the BSNL keyword.

2.7 Reserved Characters

The following characters must be escaped with a backslash: +, -, =, &, ||, >, <, !, (, ), {, }, [, ], ^, ", ~, *, ? ,:, \, /.

3. Censys REST API

The Censys REST API provides programmatic access to the same data accessible through the web interface. All API endpoints are hosted at and require authenticating with HTTP basic auth using the API ID and secret that are shown under My Account. This page also lists the rate limits that apply to your account.
Censys provide the following API endpoints: search, view, report, and data


  1. Censys
  2. Censys Research Paper
0 Comments 0 Comments
0 Comments 0 Comments