Continuous internet-wide scanning produces some of the most consequential data in modern cybersecurity. Tools that build searchable indexes of what services are exposed on every public IP address provide a view of the internet that is unavailable from any single network’s vantage point. The category started with Shodan in 2009 and has expanded to several substantial competitors. Each has different strengths; serious work usually involves at least two of them.
A practical comparison.
What internet-wide scanners do
The basic premise is simple. The IPv4 address space contains about 3.7 billion routable addresses. Scanning all of them on the most common ports, 80, 443, 22, 21, 3389, etc., is computationally feasible from a small number of well-positioned servers. Each scan captures the response from each address: HTTP banner and headers, SSH host key and version, TLS certificate, RDP banner, SNMP information, ICS protocol responses, and many others.
The scan data is parsed, structured, and indexed. The result is a queryable database where you can ask "which IPs are running Elasticsearch on the default port" or "what TLS certificates have been issued to subdomains of example.com" or "which RDP servers exposed to the internet are running an unpatched version vulnerable to CVE-X."
The scanners run continuously. Most major scanners refresh their data every few days for common ports and weekly to monthly for less common ones.
The major scanners
Shodan (shodan.io). The original. John Matherly launched it in 2009 with a focus on industrial control systems and unusual exposed services. It has the strongest brand recognition and the most extensive industrial protocol coverage. The query syntax is mature, the user interface is the most polished in the category, and the marketplace of saved queries and integrations is large. Free tier with limited features; commercial pricing for serious use.
Censys (censys.io). Originated from academic research at the University of Michigan; commercialised in 2017. Generally considered to have the freshest data and the best query language for complex investigations. Strong coverage of TLS certificates and HTTP services; good integration with Certificate Transparency. Free tier; commercial for advanced features.
ZoomEye (zoomeye.org). Operated by Knownsec, a Chinese cybersecurity company. Strong coverage of Asian internet infrastructure, including Chinese services that other scanners cover less thoroughly. Different data model and search syntax. Free tier; commercial tiers.
FOFA (fofa.info). Another Chinese-operated scanner. Specialises in fingerprinting specific application versions and configurations; strong for finding specific software deployments. Particularly useful when the investigation involves Asian infrastructure.
BinaryEdge (binaryedge.io). European; broad coverage across protocols. Useful as a third-party check on Shodan and Censys; their data sometimes catches things others miss.
Hunter.how (hunter.how). Newer entrant; strong on application fingerprinting; growing share among threat researchers.
Netlas (netlas.io). Active in the niche; has produced good free-tier offerings.
LeakIX (leakix.net). Specialised in finding misconfigured and exposed services rather than general scanning.
The list shifts as new entrants emerge and existing services change. The category is competitive and the best-tool-for-the-job depends on the specific investigation.
What you can find
A non-exhaustive list of categories of finding:
Misconfigured services. Elasticsearch, MongoDB, Redis, Memcached, Hadoop, Kibana, MySQL, PostgreSQL, Docker daemons, Kubernetes API servers, all have been mass-exposed historically and continue to be in 2026, despite years of advisories. A query for "MongoDB" with port 27017 still returns thousands of unauthenticated databases.
Vulnerable software versions. Specific versions of Exchange, Confluence, Jenkins, GitLab, FortiOS, Citrix NetScaler, Ivanti Connect Secure, and many others have been targets of mass-exploitation campaigns. Searching for the affected version banners surfaces vulnerable hosts at scale.
Industrial control systems. Modbus, Siemens S7, Niagara, BACnet, EtherNet/IP, DNP3, exposed to the internet in alarming numbers. Shodan in particular built its early reputation on documenting this.
IoT and consumer devices. Webcams, printers, NAS devices, smart-home gateways, network video recorders. The Mirai botnet’s targets were largely findable via Shodan queries.
Cloud workloads with weak controls. Exposed cloud-management interfaces, S3 buckets discoverable by their hostname patterns, exposed Docker registries.
Adversary infrastructure. Cobalt Strike teamservers, Metasploit listeners, command-and-control panels with characteristic banners or TLS certificates. Threat-intel teams use scanner data to track active campaigns.
Specific deployments by organisation. Searching for a target’s TLS certificate fingerprints, hostname patterns, or specific application banners maps an organisation’s internet-facing footprint.
The 2024 mass-exploitation pattern
A consistent pattern across recent years: a critical vulnerability is disclosed in a widely-deployed product. Within hours, exploit code is public. Within a day, attackers are mass-exploiting. The internet-wide scanners are central to both sides of the cycle.
Defenders use them to find their own exposure (an organisation’s IPs running the affected software). Attackers use them to find targets at scale.
The 2024 Ivanti Connect Secure vulnerability series, the Cisco IOS XE vulnerabilities, the Fortinet FortiOS issues, each saw scanner queries become widely shared in the early hours after disclosure. The "find vulnerable hosts in 30 seconds" capability is the central operational fact of modern vulnerability response.
Query examples
A flavour of the kinds of queries possible:
Shodan: product:"Elastic" port:9200 -authentication finds Elasticsearch instances without authentication.
Censys: services.tls.certificates.leaf_data.subject_dn: "*.example.com" finds TLS certificates issued to any subdomain of example.com.
Shodan: hostname:.target.com http.title:"Login" finds login pages on any subdomain of target.com.
Censys: services.banner: "OpenSSH 7.4" and services.port: 22 finds hosts running a specific SSH version.
The query languages have substantial expressive power; mastering them is one of the more useful skills for OSINT and security research.
Defensive use
Internet-wide scanners are dual-use. The same tools that let attackers find vulnerable hosts let defenders find their own exposed assets.
Attack-surface management products (Microsoft Defender External Attack Surface Management, CrowdStrike Falcon Surface, Cycognito, Palo Alto Cortex Xpanse, Censys Attack Surface Management) are largely scanner-derived: they continuously scan the internet for assets attributable to the customer organisation and surface them as attack surface inventory.
For an organisation’s own use, querying a scanner with their domain or IP ranges produces a list of internet-exposed assets that often includes things the organisation did not know it owned: forgotten subdomains, decommissioned-but-still-running test environments, marketing-team WordPress instances, third-party SaaS using the customer’s domain.
This finding-yourself-exposed exercise is one of the more productive single security investments a CISO can make. Most large organisations are surprised by what scanners find on their first comprehensive query.
Operational considerations
Several things to know:
Scanners run from known IP ranges. Defensive tools (firewalls, IDS) can detect scanner traffic; in some configurations it can be blocked. The scanners’ published IP ranges are sometimes blocked at the edge for "noise reduction", this also blocks the scanner’s data from refreshing for that organisation.
Coverage and freshness vary. Each scanner has different sensor positions, different scan cadence, different protocol coverage. Cross-referencing multiple scanners produces better coverage than any single one.
The data is observational. Scanners report what they observed; the underlying state may have changed. A vulnerable banner from last week’s scan may be patched today.
Querying through APIs requires keys and respecting rate limits. The web UIs are useful for ad-hoc work; programmatic use needs API integration.
Some commercial use is restricted. Major scanner providers’ terms of service prohibit specific uses (mass-exploitation enablement, harassment, certain commercial redistribution). Read the terms.
OPSEC matters for the investigator. Querying a scanner reveals the investigator’s interest in the target. For sensitive investigations, the providers’ privacy policies and the investigator’s network position are part of the threat model.
What to do as a defender
A pragmatic checklist:
Subscribe to at least one major scanner (Shodan, Censys) and run regular queries against your organisation’s IP ranges, domain name patterns, and TLS certificate subjects.
Build alerts for any new internet-exposed service appearing under your organisation’s footprint.
When critical vulnerabilities are disclosed, immediately query for affected versions in your IP ranges. Do not wait for vendor scans to catch up.
Use attack-surface management products (Censys ASM, EASM, Cortex Xpanse, etc.) for continuous monitoring with attribution.
Treat scanner-driven findings as authoritative for "is this exposed to the internet" purposes.
Make sure shadow-IT footprints (marketing sites, developer test environments, third-party integrations) are part of the inventory.
The internet-wide scanner category has matured. The defensive value has caught up with the offensive value. Treating these tools as part of a normal security operations toolkit is the right framing in 2026.