Early access: New content posts daily — updates are frequent and you may notice work in progress.
OSINTBench
Tools network recon ·threat intelligence Censys
Censys logo

Censys Review

Internet-wide scanner with certificate transparency coverage no other tool matches.

4.1/5
freemium Free / Starter (credit-based) / Enterprise (contact sales) Professional Standard review Reviewed 2026-04-02
Affiliate disclosure: OSINTBench may earn a commission if you purchase through links on this page, at no extra cost to you. Affiliate relationships do not influence our ratings or recommendations. Full policy →

Quick Verdict

Threat intelligence analysts and security researchers who need to track TLS certificate reuse across attacker infrastructure or enumerate services on a target ASN.

Pros

  • + Certificate transparency log ingestion covers more TLS certs than any competing scanner, including expired and revoked
  • + Unified data model (host.ip, host.services, host.certificates) makes pivoting across attributes cleaner than Shodan's query approach
  • + Scans 1,400+ protocols — not limited to common ports
  • + Academic tier is free with a .edu email and has generous query limits
  • + BGP/ASN data included at all paid tiers without a separate add-on

Cons

  • Free tier caps at 250 queries/month — barely enough for one active investigation
  • Individual tier costs $99/mo versus Shodan's $69/mo for comparable query volume
  • Query syntax is less intuitive than Shodan's; operators and field names require documentation review
  • No device-type tagging — you won't find 'webcam' or 'ICS controller' filters the way Shodan surfaces them
  • Historical snapshots locked behind paid tiers
  • IoT and ICS banner coverage thinner than Shodan's
Visit Censys →

What Censys Is

Censys scans all IPv4 addresses and collects certificate transparency logs. The result is a searchable index of internet-exposed hosts, services, and TLS certificates. Censys covers 1,400+ protocols. It ties host data to certificate chains, BGP prefixes, and autonomous systems in one data model.

Certificates are a core data type. You can find every certificate ever issued for a domain, including expired and revoked ones. You can move from certificate to host in a query. Operators sometimes miss things, and certificates expire.

What It's Good For

Censys excels in several areas. Censys is useful for certificate pivot investigations, finding every host that served a suspicious TLS cert, which is useful for tracking down malware C2Cs. The platform allows for tracking certificate reuse, building a fingerprint from one host, and finding the rest of the cluster. Censys enables enumerating services on a target ASN, providing a full picture of what an organization exposes, without needing direct contact. The service facilitates subdomain discovery by querying Censys's certificate index, finding subdomains not in DNS. Censys supports academic research by publishing its scanning method, making data access citation-ready, a defensible data source.

Getting Started

The Community tier is free, offering 250 queries per month, which is sufficient to test the tool or verify a lead.

The Individual plan costs $99 per month, providing 2,000 queries and API access from a single IP address. Students and academics can receive a higher quota by using their .edu email address.

Initial queries to consider:

# Find all hosts sharing a specific TLS certificate fingerprint (SHA-256)
services.tls.certificates.leaf_data.fingerprint: "a3f1..."

# Find all hosts in an ASN serving HTTPS
autonomous_system.asn: 15169 and services.port: 443

# Find all certificates issued to a domain, including subdomains
parsed.names: "*.target.com"

# Find SSH services running on non-standard ports
services.transport_protocol: "TCP" and services.service_name: "SSH" and not services.port: 22

# Find hosts with expired certificates still being served
services.tls.certificates.leaf_data.subject.organization: "Acme Corp" and services.tls.certificates.leaf_data.validity.end < "2025-01-01"

Censys Query Filters

Filter Example Purpose
ip ip: 192.168.1.1 Look up a specific host
autonomous_system.asn autonomous_system.asn: 13335 All hosts in an AS
autonomous_system.name autonomous_system.name: "CLOUDFLARE" Hosts by org name
services.port services.port: 8443 Hosts with a specific port open
services.service_name services.service_name: "REDIS" Hosts running a named service
services.transport_protocol services.transport_protocol: "UDP" Filter by transport layer
services.tls.certificates.leaf_data.fingerprint (SHA-256 hash) Match by cert fingerprint
parsed.names parsed.names: "*.example.com" Cert index: SAN match
parsed.subject.organization parsed.subject.organization: "Let's Encrypt" Certs by issuing org
services.http.response.headers.server services.http.response.headers.server: "nginx" Filter by server banner
labels labels: "honeypot" Censys-assigned host classification
location.country_code location.country_code: "RU" Hosts in a specific country

Censys queries use dot notation. Fields are specified like services.port, metadata.title. Refer to the Censys Search Language documentation for field names and syntax.

Pricing

Plan Price Queries/Month Key Features
Community Free 250 Web interface only, limited data fields
Individual $99/mo 2,000 Full data, API access (1 IP)
Teams $399/mo 10,000 Full data, API access (5 IPs)
Academic Free Generous (not publicly specified) Full data, API access, requires .edu email
Enterprise Custom Unlimited Bulk export, dedicated support, custom integrations

Most analysts begin with the $99/mo Individual plan, which works well for solo work. If you find yourself scripting bulk lookups or hitting query limits, consider stepping up to the Teams plan, which costs $399/mo.

Limitations

  • Free tier limitations: 250 queries per month is not enough for real work. A single certificate pivot investigation can consume 50–100 queries in an hour.
  • Shodan is cheaper for device and IoT recon: Shodan's individual plan is $69/mo, and it has more device-type tagging and better ICS/SCADA coverage.
  • Query syntax requires investment: Censys's dot-notation field paths are precise but not guessable. Budget time with the documentation to learn the syntax.
  • Historical data is paywalled: The free and individual tiers only show current data. Historical snapshots require a paid tier.

Alternatives

  • Shodan: Broader device and IoT/ICS banner coverage, lower entry price, and more intuitive query syntax. Choose Shodan for device fingerprinting, ICS discovery, or bulk banner analysis.
  • FOFA: China-based scanner with cheaper pricing and strong coverage of Asian IP space. Choose FOFA for higher query volume at lower cost and targets concentrated in Asia-Pacific.
  • ZoomEye: Similar indexing approach to Censys with a more generous free tier. Choose ZoomEye for lightweight investigations where budget is a constraint and cert work isn't the priority.
  • GreyNoise: Focused on filtering scanner noise rather than building an infrastructure map. Choose GreyNoise to classify whether an IP is a known scanner.

Verdict

Censys excels in certificate transparency. Its strength lies in CT logs, which enable cert reuse and subdomain discovery. The Individual tier costs $99/mo, a significant investment. The Academic tier is free for holders of .edu email addresses, making it an attractive option.

If you track devices or IoT, Shodan may be a more affordable choice at $69/mo, offering greater value for the price.

See Also

Best Threat Hunting Tools

Threat hunting requires a proactive approach. You're searching for adversaries hiding in the shadows of your network. Effective threat hunting tools help.

1. Shodan

Shodan indexes internet infrastructure, including servers, cameras, routers, industrial control systems. Anything listening on an open port gets catalogued. Banners tell you what's running, version numbers, sometimes config details. The OSINT value is that you know what a target has exposed before you ever send a packet their way. Operators miss things; dev servers get forgotten.

Shodan's query syntax is precise. You filter by port, protocol, or banner text. Results are exportable. API access lets you automate searches. It's a skill to learn, but Shodan pays off.

2. Censys

Censys scans the internet. It finds devices and services. Certificates reveal domain names. You get detailed info on TLS configurations. Port scans are fast. Censys focuses on security.

Censys and Shodan overlap. Each has unique data, such as Shodan, Censys. You use both for comprehensive coverage.

3. MISP

MISP aggregates and shares indicators. You correlate data from multiple sources. Visualizations help with analysis. MISP integrates with tools.

MISP centralizes data. You feed it intel. It shares it across your team.

4. Maltego

Maltego visualizes relationships. Domains, IPs, and hashes connect in a graph. You see the attack surface. Maltego supports investigations. You map out attacker infrastructure. Maltego's transform engine does the heavy lifting.

5. SpiderFoot

SpiderFoot automates OSINT collection. It scrapes data from public sources. You monitor domains, IPs, and hashes. SpiderFoot gathers data fast. SpiderFoot supports multiple data sources.

SpiderFoot is a timesaver. You focus on analysis.

Comparison of Threat Hunting Tools

The comparison of threat hunting tools shows the following: Shodan focuses on network recon, with internet scans as its data source, high automation, and a steep learning curve. Censys focuses on network recon, with internet scans as its data source, high automation, and a steep learning curve. MISP focuses on threat intel, with aggregated feeds as its data source, medium automation, and a moderate learning curve. Maltego focuses on entity analysis, with a graph DB as its data source, medium automation, and a moderate learning curve. SpiderFoot focuses on OSINT collection, with public sources as its data source, high automation, and an easy learning curve.

Best Network Recon Tools

Network recon tools find what's exposed. You identify attack surfaces.

1. Nmap

Nmap scans networks. Fast and accurate. You detect hosts, services. Nmap's scripting engine extends capability. You write scripts; Nmap automates tasks.

2. Masscan

Masscan scans the internet. You detect hosts. Results are raw. Masscan serves different needs. Masscan's speed comes at the cost of detail.

3. ZMap

ZMap scans networks. Open-source. You detect hosts, services. ZMap's design focuses on speed. It scans large networks fast. Results are detailed.

Comparison of Network Recon Tools

The comparison of network recon tools shows the following: Nmap has medium speed, high accuracy, and high automation. Masscan has high speed, low accuracy, and medium automation. ZMap has high speed, high accuracy, and medium automation.

Conclusion

Threat hunting and network recon require the right tools. Shodan, Censys, Nmap are top tools. Each tool has strengths. You choose based on your needs.

Further Reading

Tool Relationships

Alternative to Shodan 4.7/5 Alternative to Criminal IP 3.9/5 Feeds into IntelOwl 4.2/5 Feeds into Maltego 3.5/5 Complements GreyNoise 3.7/5

Similar Tools

Shodan

Search engine for internet-connected devices — find exposed servers, industrial systems, and network infrastructure worldwide.

4.7/5 freemium

urlscan.io

Free website scanner that captures full-page screenshots, network requests, and DOM snapshots for any URL

4.6/5 freemium

VirusTotal

Multi-engine malware scanner and threat intelligence platform for files, URLs, IPs, and domains

4.5/5 freemium

C2 Tracker

A live C2 infrastructure feed that helps defenders hunt, block, and correlate active command-and-control servers by framework type.

4.3/5 free

Community Rating

Ratings from security researchers. No third-party tracking.

☆☆☆☆☆
No ratings yet

Rate this tool:

This review reflects testing as of 2026-04-02. OSINT tools change frequently — check the vendor's current documentation for pricing and feature updates. Report an error →

View Censys on Wayback Machine →