
Vulnerability ManagementThreat Intelligence
Censys Platform
Internet-wide scanning that maps an external attack surface and tracks adversary infrastructure.
Censys Platform Overview
What it does
Censys Platform is an internet intelligence product that maps an organization's external attack surface using first-party scanning of the public internet across all 65,000 ports. Its distinctive mechanism is a continuously refreshed map of global internet infrastructure built from Censys's own scan data and certificate transparency records rather than third-party feeds. Security teams use it to discover internet-facing assets, including services on nonstandard ports and unmanaged cloud systems that internal scanners miss.
How it works
The platform scans the internet continuously and fingerprints the software, services, and certificates running on each discovered host, mapping relationships between assets to attribute them back to the organization. It alerts on meaningful changes such as new hosts, ports, or certificates, and scores exposures using Exploit Prediction Scoring System (EPSS) probability and CISA Known Exploited Vulnerabilities (KEV) data to rank what to fix first. Teams can pivot from a flagged exposure into the broader platform to track reused certificates and domains and investigate adversary infrastructure, including command-and-control (C2) servers and phishing domains.
Credentials and traction
Censys holds SOC 2 Type II certification, with an independent audit confirming its controls over a defined period. The company originated from the ZMap internet-scanning research at the University of Michigan and serves security operations, threat hunting, and government teams, including CISA, the U.S. Department of Homeland Security, and large enterprises. Its scan datasets and certificate records are widely used as a reference source for internet infrastructure research.
Key Capabilities
mapped to solution categoriesRanks discovered exposures by combining exploitability signals, asset business context, and active threat intelligence to produce an actionable remediation queue.
Identifies software stacks, versions, and components running on discovered assets through passive banner analysis and active probing, mapping CVE exposure without authenticated scanning.
Continuously enumerates internet-exposed assets (domains, IPs, subdomains, certificates, cloud storage, APIs) using passive DNS, certificate transparency logs, and active probing, including assets outside the official inventory.
Identifies cloud resources, SaaS applications, and exposed services deployed by business units without IT or security team visibility or approval.
Tracks SSL/TLS certificate expirations, newly registered lookalike domains, and subdomain takeover opportunities (dangling DNS records pointing to deprovisioned cloud services).
Compliance
certificationsIntegrations
compatible toolsImplementation & support
Info last updated on June 30, 2026