DEV Community

Alex Spinov
Alex Spinov

Posted on

Censys Has a Free API — The Shodan Alternative for Internet-Wide Scanning

#security #python #api #devops

Everyone knows Shodan. But Censys is the quiet alternative that security researchers often prefer — and it has a generous free API tier.

Censys scans the entire IPv4 address space and indexes every TLS certificate. 400 million+ hosts. 7 billion+ certificates. Updated continuously.

Why Censys Over Shodan?

A security team needed to find all instances of a specific TLS certificate across the internet — a certificate that had been compromised. Shodan couldn't search by certificate fingerprint effectively. Censys found 2,400 hosts using that exact cert in under 3 seconds.

Each tool has strengths. Censys excels at certificate intelligence and structured queries.

Get Your Free API Key

  1. Sign up at search.censys.io
  2. Go to Account → API → get your API ID and Secret
  3. Free tier: 250 queries/month

Search for Hosts

\`python
import requests
from requests.auth import HTTPBasicAuth

API_ID = "your-api-id"
API_SECRET = "your-api-secret"
auth = HTTPBasicAuth(API_ID, API_SECRET)

def search_hosts(query, per_page=5):
"""Search for hosts matching a Censys query."""

response = requests.get(
    "https://search.censys.io/api/v2/hosts/search",
    params={"q": query, "per_page": per_page},
    auth=auth,
    timeout=30
)

data = response.json()
total = data["result"]["total"]
print(f"Query: {query}")
print(f"Total hosts: {total:,}")

for hit in data["result"]["hits"]:
    ip = hit["ip"]
    services = [f"{s['port']}/{s.get('service_name','?')}" for s in hit.get("services", [])]
    location = hit.get("location", {})
    country = location.get("country", "Unknown")

    print(f"\n  {ip} ({country})")
    print(f"    Services: {', '.join(services)}")

    # Autonomous system info
    asn = hit.get("autonomous_system", {})
    if asn:
        print(f"    ASN: {asn.get('asn', '?')} — {asn.get('name', '?')}")
Enter fullscreen mode Exit fullscreen mode

Find exposed Elasticsearch instances

search_hosts("services.service_name: ELASTICSEARCH")
`\

Look Up a Specific Host

\`python
def lookup_host(ip):
"""Get detailed information about a specific IP."""

response = requests.get(
    f"https://search.censys.io/api/v2/hosts/{ip}",
    auth=auth,
    timeout=30
)

if response.status_code == 200:
    host = response.json()["result"]

    print(f"IP: {host['ip']}")
    print(f"Last updated: {host.get('last_updated_at', '?')}")

    for service in host.get("services", []):
        port = service["port"]
        name = service.get("service_name", "Unknown")
        transport = service.get("transport_protocol", "TCP")

        print(f"\n  Port {port}/{transport}: {name}")

        # TLS certificate info
        tls = service.get("tls", {})
        if tls:
            cert = tls.get("certificates", {}).get("leaf", {})
            if cert:
                subject = cert.get("subject_dn", "?")
                issuer = cert.get("issuer_dn", "?")
                print(f"    TLS Subject: {subject}")
                print(f"    TLS Issuer: {issuer}")
Enter fullscreen mode Exit fullscreen mode

lookup_host("1.1.1.1")
`\

Search Certificates

This is where Censys really shines — certificate transparency search:

\`python
def search_certificates(query, per_page=5):
"""Search the certificate transparency logs."""

response = requests.get(

    "https://search.censys.io/api/v2/certificates/search",

    params={"q": query, "per_page": per_page},

    auth=auth,

    timeout=30

)


data = response.json()



for cert in data["result"]["hits"]:

    fp = cert.get("fingerprint_sha256", "?")[:16]

    names = cert.get("names", [])[:3]

    issuer = cert.get("issuer_dn", "?")




print(f"  {fp}... | Names: {', '.join(names)} | Issuer: {issuer}")






    Enter fullscreen mode
    


    Exit fullscreen mode
Enter fullscreen mode Exit fullscreen mode




Find all certificates for a domain

search_certificates("names: example.com")

Find certificates issued by Let's Encrypt

search_certificates("issuer_dn: \"Let's Encrypt\"")
`\

Censys vs Shodan

Feature Censys Shodan
Free queries/month 250 ~100 search credits
Certificate search Excellent Limited
Query language SQL-like, powerful Simple filters
Data freshness Continuous Daily
IPv6 support Yes Limited
Price (paid) $25/mo $59/mo

What You Can Build

  • Certificate monitoring — alert when new certs are issued for your domains
  • Attack surface mapping — find all your organization's public services
  • Threat hunting — track malicious infrastructure by certificate patterns
  • Compliance scanning — ensure all services use valid TLS
  • Shadow IT detection — find unauthorized services in your IP ranges

Rate Limits

Tier Queries/Month Results/Query
Free 250 100
Researcher 2,500 1,000
Teams Custom Custom

250 queries per month is enough for personal projects and small-scale security research.

More free security APIs and developer tools on my GitHub.

Top comments (0)