Shodan
What is Shodan?
ShodanA search engine that continuously scans the internet and indexes service banners so users can query exposed devices, ports, software versions, and certificates.
Shodan operates a global network of scanners that connect to common ports across the IPv4 space, collect banners and TLS metadata, and store the results in a searchable index. Analysts use Shodan to map their external attack surface, find forgotten assets, hunt for vulnerable software versions, and pivot from a target IP to other hosts that share a banner or certificate fingerprint. The platform exposes a web UI, REST API, and CLI, and provides filters such as port, product, country, organization, and hash. Defensive use cases include external attack-surface management, M and A diligence, third-party risk assessment, and validating that systems are not unintentionally internet-facing.
● Examples
- 01
Searching for org:'Acme Inc' to find every internet-facing host that mentions the company in banners.
- 02
Pivoting from a self-signed certificate hash to every other host on the internet presenting it.
● Frequently asked questions
What is Shodan?
A search engine that continuously scans the internet and indexes service banners so users can query exposed devices, ports, software versions, and certificates. It belongs to the Defense & Operations category of cybersecurity.
What does Shodan mean?
A search engine that continuously scans the internet and indexes service banners so users can query exposed devices, ports, software versions, and certificates.
How does Shodan work?
Shodan operates a global network of scanners that connect to common ports across the IPv4 space, collect banners and TLS metadata, and store the results in a searchable index. Analysts use Shodan to map their external attack surface, find forgotten assets, hunt for vulnerable software versions, and pivot from a target IP to other hosts that share a banner or certificate fingerprint. The platform exposes a web UI, REST API, and CLI, and provides filters such as port, product, country, organization, and hash. Defensive use cases include external attack-surface management, M and A diligence, third-party risk assessment, and validating that systems are not unintentionally internet-facing.
How do you defend against Shodan?
Defences for Shodan typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Shodan?
Common alternative names include: Shodan.io.
● Related terms
- defense-ops№ 154
Censys
An internet-wide scanning platform that publishes structured data on hosts and TLS certificates, used for attack-surface management and infrastructure pivoting.
- defense-ops№ 072
Attack Surface Management (ASM)
Continuous discovery, inventory, classification, and monitoring of all assets that expose an organization to potential cyberattack.
- defense-ops№ 401
External Attack Surface Management (EASM)
Continuous discovery and monitoring of all internet-facing assets that belong to an organization, viewed from an outside-in attacker perspective.
- defense-ops№ 905
Reconnaissance
The first phase of an attack, in which adversaries gather information about a target's people, technology, and exposure before launching intrusion attempts.
- defense-ops№ 740
Nmap
An open-source network scanner used to map hosts, enumerate open ports and services, and fingerprint operating systems on IP networks.