Censys

What It Is

Censys scans the entire IPv4 space and indexes hosts, services, and TLS certificates. Similar to Shodan but particularly strong for certificate transparency and TLS reconnaissance. Finding subdomains via certificate data is a key use case.

Free tier: 250 queries/month. Data is fresher than Shodan for some scan types.

---

Web Search

Use at search.censys.io. Two main search types: Hosts and Certificates.

Host search filters

Filter	Example
services.port:	services.port:443
services.service_name:	services.service_name:HTTP
services.software.product:	services.software.product:nginx
services.tls.certificates.leaf.subject.common_name:	...common_name:example.com
location.country:	location.country:"United States"
autonomous_system.name:	autonomous_system.name:"AMAZON"
labels:	labels:revproxy

Certificate search

Powerful for subdomain enumeration — certificates often list subdomains in the Subject Alternative Name (SAN) field:

parsed.names:example.com

This returns all certificates that mention example.com in the CN or SAN fields, revealing subdomains like staging.example.com, api.example.com, etc.

---

CLI

pip install censys

# Configure API credentials (from censys.io account)
censys config

# Search hosts
censys search "services.port:22 AND services.software.product:OpenSSH"

# View a specific host
censys view 10.10.10.1

# Certificate search for subdomains
censys search "parsed.names:example.com" --index-type certificates

---

Censys vs Shodan

Aspect	Censys	Shodan
Strength	TLS/certificate data, subdomain discovery	Banner data, IoT/OT devices
Free tier	250 queries/month	Limited results per query
Best for	Certificate recon, infra mapping	Service identification, vuln scanning
Data freshness	Regular full IPv4 scans	Continuous scanning

Both are worth checking — they index slightly different data and have different scanning schedules.

---

Links

• Censys Search
• Censys API Docs
• Censys Python Library