Investigator Use
Censys Search is an internet-wide scanning platform that provides detailed data on every reachable host and certificate on the internet. Developed at the University of Michigan and now maintained as a commercial product, Censys continuously scans the full IPv4 address space and maintains one of the largest databases of internet host and certificate data available to the public.
What investigators use Censys for: discovering internet-exposed services associated with target organizations, pivoting between hosts using shared TLS certificates, mapping infrastructure belonging to threat actors, finding misconfigured cloud assets, and cross-referencing Shodan data for additional context.
What data Censys exposes: open ports and services for every reachable IPv4 host, TLS certificate details including subject, issuer, and SANs (Subject Alternative Names), autonomous system and organization information, software and protocol versions, HTTP response data, and historical host data through the Censys API.
Certificate pivoting is one of the most powerful OSINT techniques available through Censys. Because organizations often reuse TLS certificates across their infrastructure, a single certificate issued to example.com may also be valid for api.example.com, internal.example.com, and staging.example.com. Searching Censys by certificate fingerprint or organization name reveals the full scope of an organization's SSL-secured infrastructure.
For threat intelligence: threat actors often reuse the same self-signed certificates across C2 servers. If you have a certificate fingerprint from one known malicious server, Censys can identify other IP addresses using the same certificate — expanding a single known indicator into a full infrastructure map.
API access: Censys offers a free account with limited query credits and a paid API for bulk and automated queries. The free tier allows meaningful research for most OSINT investigations. The Censys CLI makes it easy to script searches and integrate results into analysis pipelines.
In a workflow: after identifying a target organization from WHOIS or theHarvester, query Censys by organization name to enumerate all internet-facing hosts. Use certificate SANs to discover subdomains not visible in DNS. Compare Censys results with Shodan — they use different scanning methodologies and together provide more complete coverage than either alone.
Before You Pivot
Record Context
Capture the target, search terms, and why this source is relevant before you leave the page.
Preserve Evidence
Archive volatile pages, save screenshots, and keep timestamps for anything that may change.
Corroborate
Treat one tool as a lead source. Confirm important findings with independent sources.
Related Tools
APNIC
IP Address OSINT
A global, open, stable, and secure Internet that serves the entire Asia Pacific community
Abuse IP DB
IP Address OSINT
AbuseIPDB provides IP reputation data and community abuse reports for identifying malicious hosts in network and threat investigations.
Cloudflare IP Finder
IP Address OSINT
Utilize misconfigured DNS and old database records to find hidden IP's behind the CloudFlare network
Criminal IP
IP Address OSINT
Criminal IP delivers AI-powered IP threat intelligence, attack surface data, and fraud detection for cyber threat investigations.
DNS dumpster
IP Address OSINT
Free domain research tool to discover hosts related to a domain. Find visible hosts from the attackers perspective for Red and Blue Teams.
Domain/IP lookup
IP Address OSINT
InfoByIP provides bulk IP and domain lookups returning geolocation, ASN, hostname, and WHOIS data for multiple targets simultaneously.