Early access: New content posts daily — updates are frequent and you may notice work in progress.
OSINTBench
Tools network recon uncover
uncover logo

uncover Review

A multi-engine exposed host discovery tool that turns Shodan, Censys, FOFA, and other indexes into one pipeline-friendly recon step.

4.2/5
free Free (open source) Reviewed 2026-04-05
Affiliate disclosure: OSINTBench may earn a commission if you purchase through links on this page, at no extra cost to you. Affiliate relationships do not influence our ratings or recommendations. Full policy →

Quick Verdict

Bug bounty hunters and pentesters who want fast cross-engine host discovery across global and regional internet indexes before live probing and vulnerability scanning.

Pros

  • + Queries multiple exposed-host search engines at once and deduplicates results automatically
  • + Fits cleanly into the ProjectDiscovery recon pipeline with stdout-ready output for httpx and nuclei

Cons

  • Real value depends on configuring multiple paid or rate-limited API-backed search engines
  • Cross-engine abstraction is less precise than using each provider's native advanced query syntax directly

Uncover: Consolidated Recon

You already use Shodan, Censys. Uncover consolidates their results. One command provides combined results. No more dashboard hopping, API translations, exports, or deduplication.

Your workflow is in ProjectDiscovery. Uncover shines here. It does not replace subfinder, httpx, or nuclei. Instead, it sits before probing and scanning. It provides passive exposed-host discovery. This gives you infrastructure visibility beyond DNS and certificate transparency.

The efficiency gain comes from command-line convenience on top of familiar APIs. You still need the rest of the toolkit. Uncover gets you more data, faster. Shodan, Censys, Uncover.

What uncover Does

uncover queries internet device search engines in parallel. Shodan, Censys, FOFA, ZoomEye, Quake, Hunter.

You write a dork-style query. uncover sends it to every configured engine. You get back a list of hosts, deduplicated, with IP addresses, ports, hostnames.

The output is stdout-friendly, requiring no extra formatting. You can pipe it straight into the next tool.

uncover fits with ProjectDiscovery tools. It is a Go binary with stdin/stdout workflows. There are no interactive menus or web dashboards. It is part of your "discover → probe → scan" workflow, sitting in the discovery stage. It is simple.

Supported Engines and API Configuration

Engine Coverage

uncover's main selling point is its engine coverage, supporting Shodan, Shodan InternetDB, Censys, FOFA, ZoomEye, Quake, Hunter, Netlas, CriminalIP, PublicWWW, and others. The list depends on current development and configured integrations.

The engine coverage includes Shodan, Censys, FOFA, ZoomEye, Quake, Hunter, Netlas, CriminalIP, PublicWWW. You get more than just Shodan and Censys. FOFA, ZoomEye, and Quake fill regional gaps. Their indexes show infrastructure that Shodan and Censys might miss.

Configuring Providers

Provider config is stored in YAML. You supply API keys for the engines you want to query. The tool's value scales with the number of engines you enable. Configure just Shodan, and uncover is a single-provider wrapper. Add FOFA, ZoomEye, Quake, and Censys, and the abstraction pays off.

Querying Engines

You can query specific engines with flags like -e shodan or -e fofa. If you leave the flag broad, uncover handles the fan-out. You choose how many engines to query. That’s it.

Core Query Patterns

Introduction to Uncover

Uncover performs basic host discovery. You query by service, port, and get a list of hosts. It combines results from Shodan and Censys. Query once and get results from both, saving time and eliminating duplicate searches.

Organization-Scoped Discovery

Uncover uses organization strings, certificate IDs, and similar clues. It aggregates results across indexes for one entity, making the process more efficient. Results are gathered from Shodan, Censys, X.509, and more.

Bulk Query Support

You can input a file with a list of searches using the -l option. This feature is useful for bug bounty programs with multiple targets, allowing you to test in parallel.

Operational Use

Uncover is suitable for single queries, ad hoc hunts, and larger recon exercises. You can easily iterate through many search variants.

uncover in the ProjectDiscovery Pipeline

Uncover in the ProjectDiscovery Flow

Uncover finds assets. Place it in the ProjectDiscovery workflow like this: Assets pop up from uncover. Certificate-based host discovery feeds straight into httpx. Now you know which assets are live on HTTP or HTTPS. Status codes and titles come with it. No custom code needed.

Practical Escalation Path

The full flow is straightforward. Uncover finds likely hosts, httpx confirms and fingerprints them, and nuclei tests for vulnerabilities or misconfigs. You start with third-party data. No need to scan the whole IP space. Then, you focus active traffic on visible candidates.

Complementary Tools

Uncover and subfinder serve different purposes. Subfinder digs up subdomains from passive DNS, certificate transparency. Uncover finds infrastructure via service fingerprints, organization strings, port exposure, indexed device metadata. Use both. They surface different assets.

Real Engagement Value

Assets show up differently. Some are clear in subdomain enumeration but not in exposed-host indexes. Others appear in FOFA or ZoomEye first. Uncover gives you that second perspective. That's it. You get more assets. Better recon.

uncover vs Manual Multi-Engine Queries

Running queries across Shodan, Censys, FOFA, and ZoomEye manually is tedious. You juggle browser tabs, make separate API calls, and then normalize and deduplicate the output. Uncover streamlines this process.

One command hits multiple providers, providing combined output, with no extra work required.

The real value of Uncover is removing friction. When you're doing recon at scale, speed matters. Uncover saves you time by cutting down on redundant work.

Collecting results the old way means reprocessing the same host multiple times. Uncover eliminates duplicates before the data hits tools like httpx or nuclei, saving time and reducing unnecessary work downstream.

Uncover has its limits. It is an abstraction layer. For advanced queries with complex boolean logic or provider-specific syntax, native APIs still offer more control. Uncover focuses on cross-engine utility, not maximum expressiveness per engine.

Verdict

Uncover earns its place because it's the fastest way to query multiple exposed-host search engines at once. Cross-engine querying, auto-dedupe, and clean stdout. That's efficiency.

It's especially useful for bug bounty hunters and pentesters in the ProjectDiscovery ecosystem. Exposed-host discovery feeds directly into httpx and nuclei. FOFA, ZoomEye, Quake provide regional coverage.

Configure as many engines as you can, then use uncover as your passive indexed-host discovery layer. Using one engine makes it optional. Using several makes it essential. It cleans up the ProjectDiscovery pipeline.

Community Rating

Ratings from security researchers. No third-party tracking.

☆☆☆☆☆
No ratings yet

Rate this tool:

This review reflects testing as of 2026-04-05. OSINT tools change frequently — check the vendor's current documentation for pricing and feature updates. Report an error →

View uncover on Wayback Machine →