Platform users with access to the Critical Infrastructure module can use the new Critical Infrastructure dashboard to quickly pivot through a filterable view of ICS/OT assets and data identified by Censys scans.
Add Censys Platform data enrichment to your security workflows using new integrations with OpenCTI and CyWare.
Use new extracted_text data in the Platform to find assets with screenshots that include keywords like vendor or product names, login interfaces, and more.
Users with access to the Critical Infrastructure module can use the new Critical Infrastructure dashboard to quickly pivot through a filterable view of ICS/OT assets and data identified by Censys scans.
Use the dashboard to find assets of interest based on location, vendor, product name, protocol, text extracted from screenshots, and more. Learn more in the documentation.
Use new integrations to add Censys data enrichment to hosts, domains, certificates, and more to OpenCTI and CyWare.
These integrations were developed and are maintained by OpenCTI and CyWare, respectively.
Use new extracted_text data on services and endpoints to find assets with screenshots that include keywords like vendor or product names, login interfaces, and more. This data can be found in the following new fields:
An exposed Fast Reverse Proxy (FRP) server dashboard has been detected. FRP is an open-source reverse proxy tool that allows users to expose internal services through NAT or firewalls to the internet without authorization. When deployed without IT approval, FRP constitutes shadow IT and creates significant security risks: it bypasses firewall controls, exposes internal services without proper security review, and has been observed being used by threat actors as a command-and-control tunneling mechanism.
ASM query:
risks.name: `Exposed Fast Reverse Proxy (FRP) Server`
risk
Exposed Gogs Application
This is an exposed HTTP service running Gogs. This self-hosted Git service often contains source code repositories, user credentials, and CI/CD configurations. The sensitive nature of the information contained in this application makes it a target.
ASM query:
risks.name: `Exposed Gogs Application`
risk
Exposed Gitea Application
This is an exposed HTTP service running Gitea. This self-hosted Git service often contains source code repositories, user credentials, and CI/CD configurations. The sensitive nature of the information contained in this application makes it a target.
ASM query:
risks.name: `Exposed Gitea Application`
risk
Exposed Nagios Fusion Application
A Nagios Fusion application is exposed to the internet. Nagios Fusion is a multi-server management platform that provides a unified view of monitoring servers. Exposure may allow unauthorized access to centralized monitoring management.
ASM query:
risks.name: `Exposed Nagios Fusion Application`
risk
Exposed Nagios Log Server Application
A Nagios Log Server application is exposed to the internet. Nagios Log Server is a centralized log management platform that can contain sensitive operational data. Exposure may allow unauthorized access to log data.
ASM query:
risks.name: `Exposed Nagios Log Server Application`
risk
Exposed Nagios Network Analyzer Application
A Nagios Network Analyzer application is exposed to the internet. Nagios Network Analyzer is a netflow and bandwidth monitoring tool that provides network traffic visibility. Exposure may allow unauthorized access to network analytics.
A Nagios Core application is exposed to the internet. Nagios Core is an open-source monitoring platform that provides infrastructure monitoring and alerting. Exposure may allow unauthorized access to monitoring data.
ASM query:
risks.name: `Exposed Nagios Core Application`
risk
Exposed Nagios Cross Platform Agent Application
A Nagios Cross Platform Agent (NCPA) application is exposed to the internet. Nagios Cross Platform Agent (NCPA) is a cross-platform monitoring agent that provides system metrics and remote management capabilities. Exposure may allow unauthorized access to system metrics and agent management.
A Nagios XI application is exposed to the internet. Nagios XI is an enterprise monitoring platform that provides infrastructure visibility and alerting. Exposure may allow unauthorized access to monitoring data and system management.
ASM query:
risks.name: `Exposed Nagios XI Application`
software
N-able Take Control
N-able Take Control is a remote support solution that can give users access to Windows, Mac, Linux, and mobile devices.
Raspberry Shake is a low-cost, professional-grade personal seismograph that pairs with a Raspberry Pi computer to detect ground vibrations, including earthquakes, volcanic activity, and human-made noise.
Remotely is an open-source, self-hosted remote control and management solution built with .NET 8, Blazor, and SignalR, designed as a TeamViewer alternative.
The Censys Platform web UI has been updated to make the search bar the focus on the home page and improve navigation.
Left-side navigation panel
The organization you are currently logged into is displayed in the top of the left-side nav bar. Switch to your Free account or another organization and access your organizational and personal settings from the organization drop-down.
Open the account selector menu, select your account or organization, and click the credits section to go to the Credit Management page.
Access to search and the dashboards for the Threat Hunting and Critical Infrastructure modules is now located in the Intelligence section of the left-side nav bar.
The My Work section contains your collections, a link to the Investigation Manager, and your search history.
The Resources section includes links to the Release Notes feed, the Censys Community. Additional resources like the Censys Academy and Data Definitions are nested under Learn in this section.
Alerts and Notifications
Access webhook configuration by clicking the bell icon for Alerts and Notifications in the top-right corner.
Personal Access Tokens, account management, and more
Create and manage Personal Access Tokens (PATs), manage your account, and switch between light and dark mode using the profile menu in the top right corner.
An exposed Ollama server. This application allows users to run and manage large language models (LLMs) locally. Exposing this service to the public internet can allow unauthorized access to AI models and computational resources.
As part of the plan to decommission Legacy Search (search.censys.io) in 2026, Censys will update its host data backend on March 28, 2026. In Legacy Search, this will result in changes to virtual host behavior, data freshness, select API fields, and other minor adjustments. These changes are described in detail below.
These changes do not remove host coverage from Legacy Search. Additionally, this change does not affect Platform (platform.censys.io) data or functionality.
Overall host coverage, scan cadence, historical data retention, existing functionality, query syntax, UI workflows, and entitlements in Legacy Search are not impacted.
Virtual hosts
The table below summarizes key changes to virtual host data after the change.
Area
Before
After
Impact
Virtual host definition
One per each hostname and IP address
Based on latest scanned IP per port
Increased historical view of data
Service persistence
Up to 45 days
Removed on next negative scan
14-day expiry, yielding less stale data
IP association
Services persisted across IPs
Services move scan IPs
Data “may” move between IPs
Duplication
Common
Reduced
More accurate representation of web assets
Data freshness
Expiration is changing to 14 days (previously 45 days).
Index updates will occur only when a scan for that IP is received.
The "See Latest" UI indication may appear more often.
In general, there will be less long-lived stale data.
API and service lifecycle changes
Timeline API: Forward pagination will be removed. API users must set reversed=true.
Service lifecycle: Services pending removal will be immediately removed from assets when a scan indicates they are no longer visible, instead of being marked as pending.
Removed fields
The following fields will be removed from Legacy Search:
services.parsed.rocketmq.version (RocketMQ)
services.ipp.response (IPP)
services.ipp.cups_response (IPP)
services.elasticsearch.http_info (Elasticsearch)
services.tls.server_key_exchange (TLS)
services.prometheus.http_info (Prometheus)
services.transport_fingerprint.* (Transport)
DNS records
dns.records.record_type will no longer return CNAME.
Record types will be limited to A and AAAA only.
Certificate API update frequency
The update frequency for the following APIs will change from realtime to every six hours:
/v2/hosts/{ip}/certificates
/v2/certificates/{fingerprint}/observations
We encourage you to review your workflows and integrations to prepare for these upcoming changes. If you have any questions or concerns about this transition, please reach out to our team at [email protected].
A NextGen Healthcare Mirth Connect administrator interface is exposed to the internet. Mirth Connect is healthcare integration software that processes and transforms medical data. Exposure may allow unauthorized access to sensitive health information.
Updated how web properties with multiple endpoints are displayed in the Platform web UI. They are now collected on a single hostname and port card instead of split across multiple cards.
Redirect chains, including start and end points, are now shown on host service and web endpoint cards in the Platform web UI.
To improve usability, when web properties have multiple endpoints they are now collected on a single hostname and port card instead of split across multiple cards.
Redirect chains are now shown on host service and web endpoint cards.
This is a FortiClient Endpoint Management Server (EMS). EMS is a security management solution that enables scalable and centralized management of multiple endpoints.
The following queries can be used to identify exposed BeyondTrust Remote Support and Privileged Remote Access instances. Not all of these services are necessarily vulnerable.
Platform Threat Hunting users can use the new Platform threat history API endpoints to obtain the history of any threats present on a host or web property.
You can define a specific time frame of interest for each of these endpoints. If you do not specify a time frame, this endpoint will search the historical dataset that is available to your account.
Use the new Service History timeline on host records in the Platform to quickly understand service history, persistence, anomalies, and other points of interest.
Use new HTTP redirect data in the Platform to identify misconfigurations, relationships, and more.
Version 1.0 of the cencli Platform command line tool was released. It includes more useful short outputs, org commands for organization details, and support for streaming output.
The new Service History timeline on host records is a visualization of service presence over time broken down by protocol and port pairs. Use it to quickly understand service history, persistence, anomalies, and other points of interest.
Added several parsed data fields for HTTP redirect chains to hosts and web properties.
Use this data to map relationships, identify misconfigurations, find parked domains, locate abandoned infrastructure, and more. For example, run web.endpoints.http.redirect_chain.hostname="censys.com" to find web properties that redirect to censys.com.
Redirect data is provided in the following fields.
Field
Description
[host.services or web].endpoints.http.redirect_chain
The nested object that contains redirect chain data.
*.endpoints.http.redirect_chain.reason
The reason for the redirect. Can be HTTP_3XX, REFRESH_HEADER, or UNRECOGNIZED.
The path that the redirect points to, like /, /login, /admin, and so on.
*.endpoints.http.redirect_chain.port
The port that the redirect points to.
Redirect data is visible to and searchable by users on the Core and Enterprise plans. Redirect data is visible to Starter and Free users, but they cannot search across it.
OpenClaw (formerly Clawdbot/Moltbot) is an open-source personal AI assistant that can execute commands, automate tasks, and manage workflows on the host system.
An OpenClaw control interface is exposed to the internet. OpenClaw (formerly Clawdbot/Moltbot) is an open-source personal AI assistant that can automate tasks on the host system. Exposing this interface may allow unauthorized access to execute arbitrary commands and access sensitive data.
ASM risk query:
risks.name= `Exposed OpenClaw Interface`
risk
EIP (EtherNet/IP) Service Exposed
This service is running EtherNet/IP (EIP), an industrial communication protocol for PLCs, HMIs, and industrial automation equipment. Exposure could allow attackers to read/write PLC programs, modify control logic, disrupt industrial processes, or cause equipment damage.
ASM risk query:
risks.name= `EIP (EtherNet/IP) Service Exposed`
risk
CODESYS Service Exposed
This service is running CODESYS, an automation platform for industrial control systems. Exposure could allow attackers to read/write PLC programs, modify control logic, disrupt industrial processes, or cause equipment damage.
ASM risk query:
risks.name= `CODESYS Service Exposed`
risk
Exposed MCP Inspector
Exposed MCP Inspector instance. This is a visual developer tool for testing and debugging Model Context Protocol servers.
ASM risk query:
risks.name="Exposed MCP Inspector"
risk
Vulnerable SmarterMail [CVE-2026-23760]
This SmarterMail server is running a build version vulnerable to CVE-2026-23760, a critical authentication bypass vulnerability that allows unauthenticated attackers to reset administrator accounts without verifying credentials or reset tokens. Since SmarterMail administrator privileges include the ability to execute operating system commands, successful exploitation results in complete administrative compromise with SYSTEM or root-level access on the underlying host. Build versions 9510 and earlier are vulnerable.
Use the new cloud asset context in ASM to help you identify asset ownership for easier remediation. This contextual metadata is retrieved for all assets sourced from the AWS, GCP, and Azure Cloud Connectors and the Wiz integration.
You can now obtain your Platform organization ID from the Account Management page in the Platform web console.
This is a Scope Sentry instance. Scope Sentry is a tool with functions such as asset mapping, subdomain enumeration, information leakage detection, vulnerability scanning, directory scanning, subdomain takeover, crawler, and page monitoring.
Use the new audit log in the UI or API to review user and organization events for the Platform and user, organization, and workspace events for Attack Surface Management (ASM).
Detection history is now shown on the Threats tab for hosts and web properties in the Platform web console. Use this timeline to quickly understand previous threat presence on an asset.
Use personalized fields in the Platform web app to highlight data fields of interest in your search results.
The Censys Assistant AI tool is now available in the Platform web app for all users. Use the assistant to input questions or prompts in a natural language and obtain answers based on the assets and data present in the Censys Internet Map. Learn more about the assistant in the video below.
Use the new audit log in the UI or API to review user and organization events for the Platform and user, organization, and workspace events for Attack Surface Management (ASM).
The Censys team has started migrating ASM customers to the Platform for organization management. Contact your Censys team representative to learn more about migrating your team.
Use personalized fields in the Platform web app to highlight data fields of interest in your search results.
Using personalized fields does not filter your search results like the filters on the left side of the page; it simply displays your configured fields on results that have already been returned by your query.
Use the new threat history visual timeline on hosts and web properties to quickly understand previous threat presence on an asset.
Hover over a plot line to see the first observed and last observed timestamps. By default, the date range displayed is the previous 30 days. Use the date picker to adjust the displayed range.
This is an exposed HTTP service running Flowise. This web application provides an interface for building Large Language Models (LLM) workflows and agents. Exposure could lead to data leakage or unauthorized use of the system.
ASM risk query:
risks.name: `Exposed Flowise Application`
risk
Exposed Open WebUI Application
This is an exposed HTTP service running Open WebUI. This web application provides an interface for interacting with Large Language Models (LLM). Exposure could lead to data leakage or unauthorized use of the system.
