Onyphe Review
Cyber defense search engine indexing internet-wide scan data, threat intelligence feeds, and passive DNS
Quick Verdict
European security teams and threat intelligence analysts who want Shodan-equivalent capabilities with EU data residency, plus integrated CTI feed data in a single query interface
Pros
- + Combines internet scanning, passive DNS, threat intelligence feeds, and WHOIS in a single query interface
- + Threat feed integration: CTI data from known-bad IP lists, botnet C2s, and malware infrastructure sources
- + API-first design — all data available programmatically; well-documented REST API
- + IOCEAN (Indicators of Compromise) categorization labels IPs and domains with their threat context
- + French-operated (EU data residency) — relevant for EU investigators with data sovereignty requirements
- + Data includes historical snapshots — query what was running on an IP at a previous date
Cons
- − Less well-known than Shodan — smaller community, fewer integrations, less documentation
- − Free tier is highly restricted (1 query/minute, 10 results max) — meaningful research requires paid plan
- − Interface is functional but less polished than Shodan or Censys
- − Coverage density for non-European infrastructure may be lower than Shodan
- − Pricing is reasonable but paid tier is required for any serious research volume
What Onyphe Is
Onyphe
Onyphe scans the internet, finds live hosts, open ports. Onyphe tells you what services are running, and provides threat intel. If an IP shows up in threat intelligence feeds, Onyphe says so. Onyphe also provides passive DNS, WHOIS data, and geolocation changes, as well as hosting shifts.
Onyphe targets cyber defenders, security analysts who dig through infrastructure. Onyphe is not your average OSINT tool. Onyphe puts threat intel first, focusing on Onyphe users are a distinct crowd, different from Shodan users.
What It Does
Onyphe scans the entire IPv4 and IPv6 address space, logging running services, banners, and certificates, which you can search.
The global coverage is complete, with European regions being dense, while others are sparse. Shodan's coverage is denser in non-European regions.
Onyphe's passive DNS data provides historical records, showing which domains resolve to IPs and which IPs host domains, a useful feature for pivoting, similar to SecurityTrails.
Threat feeds label IPs, including botnet C2 lists, malware servers, brute-force sources, and Tor exit nodes. IPs in Onyphe's results get threat context, such as C2, spam source, or scanner.
IOCEAN adds threat context by categorizing indicators. When you query an IP, you get details, such as "This IP scans for Mirai" or "This IP is a Cobalt Strike C2."
Query Syntax
Onyphe's query syntax is straightforward.
You use category:, then a specific data type,
and finally, a search term.
The query syntax works as follows:
category:datascan ip:1.2.3.4,
category:datascan domain:example.com,
category:inetnum org:"Company Name".
The category field narrows the search to datascan, resolver, threatlist, or inetnum, each targeting a specific data type.
Examples include pastesite content searches like category:pastries content:"admin",
threat list entries like category:threatlist ip:1.2.3.4,
and passive DNS searches like category:resolver domain:example.com.
The query syntax is simple, requiring just a category, data type, and search term, which must be precise.
EU Data Residency Advantage
Onyphe operates from France, a big deal for European investigators and security teams.
They keep all data within the EU, including query logs, investigation records, and API traffic. This matters for GDPR and other data rules.
Law enforcement investigations need a clear chain of custody. Onyphe helps. Corporate security teams in regulated industries benefit, as do investigators working on cases with EU subjects.
- Made minor punctuation adjustments)
Comparison to Shodan and Censys
Shodan's got the numbers. It has a large community, solid docs, integrations everywhere. Shodan is the default for most scanning jobs.
Censys takes a different approach. Its strength is structured data. Certificate intel is a standout feature. Its focus is attack surface management.
Onyphe has a few key features. It offers built-in threat intel. Passive DNS is available in the same UI. Data is stored in the EU. If you use Shodan and want to add CTI without switching, Onyphe provides that layer. For EU businesses with tight compliance requirements, Onyphe is a good choice.
Reviewed April 2026. Tool available at onyphe.io.
See Also
Threat Hunting and Network Recon Tools
Introduction
Threat hunting and network reconnaissance are critical components of a robust cybersecurity strategy. Effective threat hunting involves proactive and iterative searching for threats that evade existing security defenses. Network recon focuses on gathering information about a network's infrastructure, devices, and potential vulnerabilities. Here, we'll compare some of the best tools for threat hunting and network recon.
Threat Hunting Tools
Threat hunting tools help security teams identify and mitigate potential threats within their network. These tools provide insights into network activity, user behavior, and system performance.
Splunk indexes and analyzes machine data. Security teams use it for monitoring, incident response, and threat detection. Key features include data indexing, real-time monitoring, and threat detection using machine learning. Splunk helps operators detect anomalies in complex data.
ELK Stack (Elasticsearch, Logstash, Kibana) collects, processes, and visualizes logs. Security teams use it for log analysis and threat detection. Features include log collection, log processing, and data visualization. ELK Stack's effectiveness depends on data quality.
Network Recon Tools
Network recon tools gather information about a network's infrastructure, devices, and potential vulnerabilities. These tools help security teams identify exposed assets and potential entry points.
Shodan indexes internet infrastructure, including servers, cameras, routers, and industrial control systems. Anything listening on an open port gets catalogued, with banners providing information on what's running, version numbers, and sometimes config details. Shodan provides OSINT value, allowing operators to know what a target has exposed before sending a packet their way.
Censys scans and indexes internet-connected devices, providing insights into network exposure and vulnerabilities. Features include device scanning and vulnerability detection. Censys finds some things Shodan misses, and vice versa.
Comparison and Conclusion
Choosing the right tools for threat hunting and network recon depends on specific needs and goals. Splunk and ELK Stack are powerful tools for threat detection and log analysis. Shodan and Censys provide valuable insights into network exposure and vulnerabilities. You need both threat hunting and network recon tools, as they serve different purposes. Use them together for a robust cybersecurity strategy.
Further Reading
Tool Relationships
Similar Tools
Shodan
Search engine for internet-connected devices — find exposed servers, industrial systems, and network infrastructure worldwide.
urlscan.io
Free website scanner that captures full-page screenshots, network requests, and DOM snapshots for any URL
VirusTotal
Multi-engine malware scanner and threat intelligence platform for files, URLs, IPs, and domains
C2 Tracker
A live C2 infrastructure feed that helps defenders hunt, block, and correlate active command-and-control servers by framework type.
Community Rating
Ratings from security researchers. No third-party tracking.
Rate this tool:
This review reflects testing as of 2026-04-03. OSINT tools change frequently — check the vendor's current documentation for pricing and feature updates. Report an error →