Shodan

Shodan is a search engine for internet-connected devices, widely used in OSINT investigations to discover exposed infrastructure, misconfigured services, and vulnerable systems. Unlike traditional search engines that index web content, Shodan crawls the internet and indexes metadata returned by devices on open ports — including routers, webcams, industrial control systems, databases, and web servers.

What investigators use Shodan for: mapping a target organization's internet-facing attack surface, identifying exposed services such as open RDP, Telnet, or MongoDB instances, finding devices running outdated or vulnerable software versions, and discovering shadow IT assets that weren't disclosed by the organization itself.

What data Shodan exposes: IP addresses and geolocation, open ports and protocols, HTTP response headers and server banners, SSL certificate metadata and organization names, software versions and product identifiers, ASN and ISP attribution, and historical snapshots of device states.

Shodan is particularly valuable in the early reconnaissance phase of an OSINT investigation. When you have a target domain or IP range, query Shodan to enumerate what services are publicly reachable. The results often surface exposed admin panels, configuration files, default credentials pages, and industrial equipment that should never be internet-facing.

Using filters effectively: Shodan's power comes from its filter syntax. Use org: to search by organization name, net: for CIDR ranges, port: to focus on specific services, country: to filter by geography, and has_vuln: to surface hosts with known CVEs. Combining filters quickly narrows thousands of results to relevant targets.

Free tier limitations: The free account provides limited search results and access to basic filters. Full filter access, the Shodan CLI, and the API require a paid account starting at a one-time fee. For most OSINT practitioners, the free tier paired with the Shodan CLI covers the majority of reconnaissance needs.

In a workflow: use Shodan after identifying a target IP range from WHOIS or ASN lookups. Cross-reference Shodan results with Censys and Greynoise — Shodan finds what is exposed, Greynoise tells you if an IP is a known scanner, and Censys provides certificate-based pivots. Always document timestamps, as internet exposure changes frequently.