When analyzing internet infrastructure, a reactive defender like a SOC analyst has different goals than a proactive defender, like a vulnerability analyst. Role aware insights for the Censys Assistant provide you with context that transforms generic responses into role-tailored insights.
New fingerprints and risks
Added the following fingerprint.
New fingerprints
Name
Description
Query
Cobwebs Trapdoor
Cobwebs Trapdoor is a phishing and social engineering platform.
Use the Censys Assistant in ASM to input questions in a natural language and obtain answers based on the assets present in your attack surface inventory.
Use the Censys Assistant in ASM to input questions in a natural language and obtain answers based on the assets present in your attack surface inventory.
Prompt the assistant with input like:
Whether any of your assets are vulnerable to a specific CVE.
Aggregate and analyze the cloud providers are present in your inventory.
Find services running on nonstandard ports.
To use the Censys Assistant in ASM, your organization must be migrated to the Platform for team management. Contact your Censys representative to learn more about migrating.
This service exposes Nginx UI, a web admin panel for nginx that can reveal configuration and permit changes if access controls are weak.
ASM risk query:
risks.name: "Exposed Nginx UI Application"
Exposed Oracle WebLogic Server Administration Console
The Oracle WebLogic Server Administration Console is reachable over HTTP. This management UI controls the application server and related resources. Exposing it to the Internet increases unauthorized access and attack risk.
ASM risk query:
risks.name: "Exposed Oracle WebLogic Server Administration Console"
Use reputation scores in the Censys Platform to quickly determine the potential risk associated with hosts, validated by transparent evidence in the Censys dataset.
An example host and its reputation score shown in the Platform UI.
Use reputation scores in the Censys Platform to quickly determine the potential risk associated with hosts, validated by transparent evidence in the Censys dataset. This score enables you to prioritize alerts with IP indicators faster and perform triage and analysis more effectively with a transparent and consistent scoring methodology.
Reputation scores and their attendant data are only available to Censys Enterprise users. Additional score context data is available to Censys Enterprise users with access to the Adversary Investigation module. See the documentation for more information.
Censys ARC Rapid Response
The Censys ARC team published information about and queries for the following issue.
Sangoma Asterisk is an open-source communications framework for building Voice over Internet Protocol Private Branch Exchange (VoIP PBX) systems, voicemail, and conferencing.
This service is using a version of Handlebars.js (4.0.0–4.7.8) vulnerable to CVE-2026-33937, a critical server-side remote code execution vulnerability. Handlebars.compile() emits the value field of a NumberLiteral AST node directly into generated JavaScript without sanitization. An attacker who controls the AST passed to compile() can inject and execute arbitrary JavaScript in any Node.js application that passes user-controlled input to compile().
This is an exposed FortiClient EMS instance prone to an improper access control vulnerability that could allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.
ARC, Censys' cybersecurity research team, frequently releases new advisories and queries for trending security issues. These are shown in a carousel under the search bar. Use these queries to track important issues and learn how to build your own targeted searches. Most of these queries utilize data that is available to Free users, but sometimes they will use regex or other entitled fields.
You can now view interactive demos of data add-on modules in the Platform web console. Use the left navigation bar to view demos for the Adversary Investigation and Critical Infrastructure modules.
Adversary Investigation
Use new CensEye APIs to create pivot analysis jobs to find web infrastructure related to threats and other assets.
The new pivot analysis job endpoint extracts default pivot fields from the target asset and counts matching documents for each field-value pair. This is similar to using CensEye in the Platform web UI.
These integrations include several ad hoc enrichment actions for hosts, web properties, and certificates that can be used on an ad hoc basis or used for automated enrichment.
Watch this video to learn more about how to use the Splunk SOAR application.
The name of the "Explore Threats" page in the Platform UI has been changed to "Tracked Threats."
Rapid Response
The Censys Rapid Response team published information about and queries for the following issue.
An HTTP service is exposing a Fortinet FortiAnalyzer application. FortiAnalyzer is a centralized logging and reporting solution that aggregates security and traffic data from FortiGate and other Fortinet devices. Exposing this management interface to the internet can allow unauthorized access to sensitive network and security analytics.
ASM risk query:
risks.name: "Exposed FortiAnalyzer Application"
risk
Exposed NetBox Application
A NetBox application is exposed to the internet. NetBox is a DCIM and IPAM tool that manages network infrastructure, IP allocations, and device inventories. Exposure may allow unauthorized access to sensitive network topology and infrastructure data.
Platform users with access to the Critical Infrastructure module can use the new Critical Infrastructure dashboard to quickly pivot through a filterable view of ICS/OT assets and data identified by Censys scans.
Add Censys Platform data enrichment to your security workflows using new integrations with OpenCTI and CyWare.
Use new extracted_text data in the Platform to find assets with screenshots that include keywords like vendor or product names, login interfaces, and more.
Users with access to the Critical Infrastructure module can use the new Critical Infrastructure dashboard to quickly pivot through a filterable view of ICS/OT assets and data identified by Censys scans.
Use the dashboard to find assets of interest based on location, vendor, product name, protocol, text extracted from screenshots, and more. Learn more in the documentation.
Use new integrations to add Censys data enrichment to hosts, domains, certificates, and more to OpenCTI and CyWare.
These integrations were developed and are maintained by OpenCTI and CyWare, respectively.
Use new extracted_text data on services and endpoints to find assets with screenshots that include keywords like vendor or product names, login interfaces, and more. This data can be found in the following new fields:
An exposed Fast Reverse Proxy (FRP) server dashboard has been detected. FRP is an open-source reverse proxy tool that allows users to expose internal services through NAT or firewalls to the internet without authorization. When deployed without IT approval, FRP constitutes shadow IT and creates significant security risks: it bypasses firewall controls, exposes internal services without proper security review, and has been observed being used by threat actors as a command-and-control tunneling mechanism.
ASM query:
risks.name: `Exposed Fast Reverse Proxy (FRP) Server`
risk
Exposed Gogs Application
This is an exposed HTTP service running Gogs. This self-hosted Git service often contains source code repositories, user credentials, and CI/CD configurations. The sensitive nature of the information contained in this application makes it a target.
ASM query:
risks.name: `Exposed Gogs Application`
risk
Exposed Gitea Application
This is an exposed HTTP service running Gitea. This self-hosted Git service often contains source code repositories, user credentials, and CI/CD configurations. The sensitive nature of the information contained in this application makes it a target.
ASM query:
risks.name: `Exposed Gitea Application`
risk
Exposed Nagios Fusion Application
A Nagios Fusion application is exposed to the internet. Nagios Fusion is a multi-server management platform that provides a unified view of monitoring servers. Exposure may allow unauthorized access to centralized monitoring management.
ASM query:
risks.name: `Exposed Nagios Fusion Application`
risk
Exposed Nagios Log Server Application
A Nagios Log Server application is exposed to the internet. Nagios Log Server is a centralized log management platform that can contain sensitive operational data. Exposure may allow unauthorized access to log data.
ASM query:
risks.name: `Exposed Nagios Log Server Application`
risk
Exposed Nagios Network Analyzer Application
A Nagios Network Analyzer application is exposed to the internet. Nagios Network Analyzer is a netflow and bandwidth monitoring tool that provides network traffic visibility. Exposure may allow unauthorized access to network analytics.
A Nagios Core application is exposed to the internet. Nagios Core is an open-source monitoring platform that provides infrastructure monitoring and alerting. Exposure may allow unauthorized access to monitoring data.
ASM query:
risks.name: `Exposed Nagios Core Application`
risk
Exposed Nagios Cross Platform Agent Application
A Nagios Cross Platform Agent (NCPA) application is exposed to the internet. Nagios Cross Platform Agent (NCPA) is a cross-platform monitoring agent that provides system metrics and remote management capabilities. Exposure may allow unauthorized access to system metrics and agent management.
A Nagios XI application is exposed to the internet. Nagios XI is an enterprise monitoring platform that provides infrastructure visibility and alerting. Exposure may allow unauthorized access to monitoring data and system management.
ASM query:
risks.name: `Exposed Nagios XI Application`
software
N-able Take Control
N-able Take Control is a remote support solution that can give users access to Windows, Mac, Linux, and mobile devices.
Raspberry Shake is a low-cost, professional-grade personal seismograph that pairs with a Raspberry Pi computer to detect ground vibrations, including earthquakes, volcanic activity, and human-made noise.
Remotely is an open-source, self-hosted remote control and management solution built with .NET 8, Blazor, and SignalR, designed as a TeamViewer alternative.
The Censys Platform web UI has been updated to make the search bar the focus on the home page and improve navigation.
Left-side navigation panel
The organization you are currently logged into is displayed in the top of the left-side nav bar. Switch to your Free account or another organization and access your organizational and personal settings from the organization drop-down.
Open the account selector menu, select your account or organization, and click the credits section to go to the Credit Management page.
Access to search and the dashboards for the Threat Hunting and Critical Infrastructure modules is now located in the Intelligence section of the left-side nav bar.
The My Work section contains your collections, a link to the Investigation Manager, and your search history.
The Resources section includes links to the Release Notes feed, the Censys Community. Additional resources like the Censys Academy and Data Definitions are nested under Learn in this section.
Alerts and Notifications
Access webhook configuration by clicking the bell icon for Alerts and Notifications in the top-right corner.
Personal Access Tokens, account management, and more
Create and manage Personal Access Tokens (PATs), manage your account, and switch between light and dark mode using the profile menu in the top right corner.
An exposed Ollama server. This application allows users to run and manage large language models (LLMs) locally. Exposing this service to the public internet can allow unauthorized access to AI models and computational resources.
As part of the plan to decommission Legacy Search (search.censys.io) in 2026, Censys will update its host data backend on March 31, 2026. In Legacy Search, this will result in changes to virtual host behavior, data freshness, select API fields, and other minor adjustments. These changes are described in detail below.
These changes do not remove host coverage from Legacy Search. Additionally, this change does not affect Platform (platform.censys.io) data or functionality.
Overall host coverage, scan cadence, historical data retention, existing functionality, query syntax, UI workflows, and entitlements in Legacy Search are not impacted.
Virtual hosts
The table below summarizes key changes to virtual host data after the change.
Area
Before
After
Impact
Virtual host definition
One per each hostname and IP address
Based on latest scanned IP per port
Increased historical view of data
Service persistence
Up to 45 days
Removed on next negative scan
14-day expiry, yielding less stale data
IP association
Services persisted across IPs
Services move scan IPs
Data “may” move between IPs
Duplication
Common
Reduced
More accurate representation of web assets
Data freshness
Expiration is changing to 14 days (previously 45 days).
Index updates will occur only when a scan for that IP is received.
The "See Latest" UI indication may appear more often.
In general, there will be less long-lived stale data.
API and service lifecycle changes
Timeline API: Forward pagination will be removed. API users must set reversed=true.
Service lifecycle: Services pending removal will be immediately removed from assets when a scan indicates they are no longer visible, instead of being marked as pending.
Removed fields
The following fields will be removed from Legacy Search:
services.parsed.rocketmq.version (RocketMQ)
services.ipp.response (IPP)
services.ipp.cups_response (IPP)
services.elasticsearch.http_info (Elasticsearch)
services.tls.server_key_exchange (TLS)
services.prometheus.http_info (Prometheus)
services.transport_fingerprint.* (Transport)
DNS records
dns.records.record_type will no longer return CNAME.
Record types will be limited to A and AAAA only.
Certificate API update frequency
The update frequency for the following APIs will change from realtime to every six hours:
/v2/hosts/{ip}/certificates
/v2/certificates/{fingerprint}/observations
We encourage you to review your workflows and integrations to prepare for these upcoming changes. If you have any questions or concerns about this transition, please reach out to our team at [email protected].
