Early access: New content posts daily — updates are frequent and you may notice work in progress.
OSINTBench
Tools network recon ·threat intelligence ZoomEye
ZoomEye logo

ZoomEye Review

Chinese-operated internet search engine for cyberspace — maps exposed services and devices globally

3.5/5
freemium Free (10 searches/day) / VIP from $35/mo Professional Brief overview Reviewed 2026-04-03
Affiliate disclosure: OSINTBench may earn a commission if you purchase through links on this page, at no extra cost to you. Affiliate relationships do not influence our ratings or recommendations. Full policy →

Quick Verdict

Threat intelligence analysts and OSINT investigators who need coverage of Chinese and Asian infrastructure that Shodan under-indexes, or who need a secondary scanner to cross-reference Shodan findings

Pros

  • + Broader coverage of Chinese and Asian infrastructure than Shodan — meaningful for investigations involving Chinese-hosted services
  • + Indexed content includes web applications, devices, databases, industrial control systems, and IoT
  • + Component-based search: find services by software component (Apache, WordPress, Kibana) rather than just port
  • + Historical data available — view what was running on an IP at previous scan dates
  • + API available on all tiers

Cons

  • Operated by a Chinese cybersecurity firm (Knownsec) — data may be accessible to Chinese government; a consideration for sensitive investigations
  • Free tier is very restrictive (10 searches/day) — meaningful use requires paid plan
  • English documentation is less thorough than Shodan's
  • Interface and search syntax less intuitive for Western users
  • Less community resources and integrations than Shodan
Visit ZoomEye →

What ZoomEye Is

ZoomEye

ZoomEye scans the internet, IP by IP, ports, services, and banners.

Knownsec, a Chinese cybersecurity firm, runs it and collects all the data, making it searchable.

You use ZoomEye in conjunction with Shodan, not as a replacement, as it provides complementary data, especially for China, threats, and infrastructure that Shodan may miss. ZoomEye picks up some that Shodan doesn't.

Its edge lies in the Asian IP space and Chinese targets, providing visibility when Shodan doesn't.

The Chinese Infrastructure Consideration

Using ZoomEye for Sensitive Investigations

Two things to consider:

Data coverage advantage. ZoomEye indexes China's internet infrastructure, a part of the global landscape under-indexed by Western scanning services. This is valuable for threat intelligence on Chinese threat actors or when investigating organizations with Chinese cloud or data center presence.

Data sovereignty. ZoomEye's a Chinese company. Your queries are logged. For sensitive topics, such as researching Chinese government infrastructure or state-affiliated threat actors, this presents an OPSEC concern. Use ZoomEye from a non-attributable connection or weigh the benefits against the risks.

These concerns are not major for routine infrastructure work, competitive intelligence, and general OSINT.

Query Syntax

ZoomEye's field-based search is similar to Shodan's:

  • app:"Apache httpd" — web servers running Apache
  • port:27017 — all MongoDB instances
  • country:"CN" — Chinese IP space
  • country:"CN" port:6379 — Redis instances in China
  • device:"webcam" — indexed webcam devices
  • hostname:target.com — services associated with a domain
  • cidr:1.2.3.0/24 — all services in a subnet
  • ver:"2.4.6" — services running a specific version

The app: field helps you find software instances by name, no port needed. You can query by date to see how infrastructure has changed over time, such as after an incident.

Practical Use Cases

ZoomEye helps you find map services on Chinese cloud providers. You can identify Chinese IP blocks or services tied to a domain.

APT groups on Chinese infrastructure show up more clearly in ZoomEye. Pair it with Shodan for a fuller picture.

Run a query in ZoomEye to catch what Shodan misses, good for thorough searches.

ZoomEye indexes industrial control systems, IoT devices. Asian manufacturing and utilities are well-covered.

Comparison to Alternatives

Shodan sets the standard, with a larger index focused on Western infrastructure, better documentation, more integrations, and community resources. For non-Asian investigations, Shodan is your best bet.

Censys targets enterprises, offering structured data and attack surface management tools, and is pricier, with a more organized data model and support for large organizations.

FOFA is another China-based option, providing similar coverage to ZoomEye. Some users run FOFA, ZoomEye, and Shodan for comprehensive coverage of Asian infrastructure.

Netlas covers more ground globally and offers regex search in response bodies, a feature not available in Shodan or ZoomEye.

When choosing an index, start with Shodan. Cross-check with ZoomEye for Asian assets. Add Netlas when you need to search response bodies. Shodan, ZoomEye, Netlas.

Reviewed April 2026. Tool available at zoomeye.org.

See Also

Best Threat Hunting Tools

Top 9 Threat Hunting Platforms

You need threat hunting tools. They help you find the threats that slipped past your defenses. Here are nine platforms that do just that.

1. Shodan

Shodan indexes internet infrastructure, including servers, cameras, routers, industrial control systems. Anything listening on an open port gets catalogued. Banners tell you what's running, version numbers, sometimes config details. That's the OSINT value: you know what a target has exposed before you ever send a packet their way. Operators miss things; dev servers get forgotten.

2. Censys

Censys scans the internet too; it finds more in certain cases. Shodan misses some things. Censys has a free tier, but it's limited; you'll burn through it in about 40 minutes of actual work. The API is where this tool earns its rating.

3. Greynoise

Greynoise tells you what's normal on your network and threats. It helps you focus on anomalies. Noise reduction is key; you can't investigate everything. Greynoise costs more, but it pays off.

4. Echosec

Echosec tracks geolocation of mobile devices, laptops, servers. It's useful for incident response; you need to know where the threat is coming from. Echosec provides that, mostly.

5. IntelX

IntelX searches code repositories: GitHub, GitLab, Bitbucket. You find sensitive data, leaked credentials, API keys. IntelX does this quickly.

6. Sprawl

Sprawl monitors the dark web: forums, chat rooms, marketplaces. You need to know what's being discussed; Sprawl helps. It doesn't cover everything, but it's a start.

7. Tenable.io

Tenable does vulnerability management; it scans your network and finds weaknesses. You fix them before they're exploited. Tenable.io integrates with other tools; your security stack works together.

8. Recorded Future

Recorded Future provides threat intel; it's analysis, not just data. You get context; this helps with prioritization of which threats to tackle first.

9. CrowdStrike Falcon

CrowdStrike Falcon does more than threat hunting; it's a full security platform for prevention, detection, response. You need this for advanced threats.

Comparison of Threat Hunting Tools

The tools vary in focus, data sources, and cost. Shodan and Censys focus on internet infrastructure, using internet scans. Greynoise focuses on network anomaly, using network traffic. Echosec focuses on geolocation, using geolocation data. IntelX focuses on code repositories, using code repositories. Sprawl focuses on dark web monitoring, using dark web forums. Tenable.io focuses on vulnerability management, using network scans. Recorded Future focuses on threat intelligence, using threat data. CrowdStrike Falcon is a full security platform, using network traffic and threat data.

Conclusion

You can't use just one tool; each has strengths. Shodan and Censys are good for infrastructure. Greynoise and Tenable.io are good for network threats. Recorded Future and CrowdStrike Falcon are good for threat intel and response. Pick the right tool; use it well.

Further Reading

Tool Relationships

Alternative to Censys 4.1/5 Alternative to Criminal IP 3.9/5 Alternative to Netlas 3.9/5 Feeds into OpenCTI 4.3/5

Similar Tools

Shodan

Search engine for internet-connected devices — find exposed servers, industrial systems, and network infrastructure worldwide.

4.7/5 freemium

urlscan.io

Free website scanner that captures full-page screenshots, network requests, and DOM snapshots for any URL

4.6/5 freemium

VirusTotal

Multi-engine malware scanner and threat intelligence platform for files, URLs, IPs, and domains

4.5/5 freemium

C2 Tracker

A live C2 infrastructure feed that helps defenders hunt, block, and correlate active command-and-control servers by framework type.

4.3/5 free

Community Rating

Ratings from security researchers. No third-party tracking.

☆☆☆☆☆
No ratings yet

Rate this tool:

This review reflects testing as of 2026-04-03. OSINT tools change frequently — check the vendor's current documentation for pricing and feature updates. Report an error →

View ZoomEye on Wayback Machine →