Censys to Expand Internet Scanning for Threat Hunting

The startup has raised money to make it easier for organizations to benefit from broad internet-wide scanning technology that can be used to identify potential threats.


Visibility is key for IT security professionals trying to figure out the nature of a given cyber-security threat. While having visibility into an organization's environment is one thing, having visibility into the entirety of the internet is another, which is where Censys fits in.

Censys has its roots in the open-source zmap project, which enables researchers to conduct broad network scans of the IPv4 network address space across the internet. The zmap project got started around 2014 and required systems that were capable of processing large data sets. The Censys website service that enables broad scanning from a web interface was launched in late 2015. 

"Basically, the initial goal with Censys was to broaden the audience of security researchers that could access the scanning tool and then let them ask questions about what was on the internet and how it's changing over time, from an infrastructure service standpoint," Brian Kelly, CEO of Censys, told eWEEK. "The tool, while initially targeted for researchers, got adoption far beyond just the research community, with lots of companies and security teams using it for reconnaissance on their own organization and on potential adversaries."

In January 2018, Censys launched its first commercial plans for the service, selling access to the data it collects for commercial use cases. Prior to the commercial launch, Censys was operating as a research project out of the University of Michigan, and the funding grant that enabled the project did not allow for commercial reuse of the collected data. On Nov. 27, Censys announced that it raised $2.6 million in a seed round, led by GV and Greylock Partners, to help grow the technology and the service.

"We did this fundraise on the premise of not just collecting a lot more data, but also, instead of putting the burden on the user to ask the right questions to improve security, we want to be able to help provide some of those insights directly," he said.


There are a number of different tools that collectively enable the open-source zmap project, according to Kelly. Among them is the core scanning technology, which Kelly said can require a large amount of bandwidth and infrastructure in order for an individual to run on their own. The data enrichment, deduplication and searchability components are the additional components that Censys provides.

"It's what we do with the data after it has collected data from a server running on an IP address that is value-add," he said. "We enrich that data and then make it easily indexed and searchable for users; that's the proprietary part that is behind our service."

Censys operates on a software-as-a-service (SaaS) model with the data available to customer either via the web interface or an API.

"We also license the data directly, so that we have a couple market enterprise customers. One of them that we mentioned on the website is Google," Kelly said. "So Google's threat intelligence team ingests our data and then brings it in with a bunch of their own data to do their own threat hunting."

Threat Hunting

There are a number of different tools available in the market today, including the shodan.io web service, that also provide scanning and insight capabilities for IP addresses. Kelly said there is overlap between the Censys and shodan.io customer base.

Both Censys and shodan are infrastructure crawlers, and they both have their own approaches to how data is collected, how often the data is refreshed and how the fidelity of data is determined, he said.

"It's hard to give an objective measure of what metric for one service is better than the other. All I can say is that a lot of our customers also say they're using other data providers," Kelly said. "But they're more than willing to pay for more data because they're saying they find things that they didn't find previously with Censys added to their data set."

Kelly added that on the threat hunting side, what Censys provides is information about what is running on a given IP address that an organization might consider to be questionable. For example, with a potential phishing email, an IT security team can look at the URLs associated with the email and see what IP addresses and host names that it's calling out to. Kelly said Censys delivers historical snapshots so a user can go back and determine what was on a given IP address on specific day and then use the attributes of what was found on that IP, including items such as SSL/TLS certificates.

All that collected information can then be correlated to identify other potential areas where the same adversary might be running infrastructure. Kelly said organizations can then decide to act on the information, creating new policy and rules.

Currently, Censys is typically used as an asynchronous investigation tool and not so much as a real-time decision tool, according to Kelly. He explained that Censys relies on security analysts to take the data and then infer something from it. Looking forward, Kelly said he's looking to make Censys more accessible to a broader group of users in a way that doesn't require organizations to do any software engineering to fully benefit from the data.

"We want to be able to provide a solution not just for the most technically sophisticated security practitioners, but also to a broader audience that wants to solve similar problems but without having to do as much work," he said.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.