Documentation
Start typing to search…

Explore Threats

The Explore Threats page provides threat hunters with a centralized view into internet-facing infrastructure linked to malware and threat actors to proactively detect and track adversary activity, uncover patterns, and reduce your organization's attack risk by identifying infrastructure early.

It combines interactive visualizations, curated threat profiles, and simplified filtering to help users to quickly identify relevant threats. You can review metadata describing a threat for context on affiliated attacks and actors on the Threat Detail page and track these threats in a Collection for real-time infrastructure updates.

Using the Explore Threats page, you can take several actions to strengthen your security posture and improve threat intelligence workflows:

  • Enrich Existing Threat Intelligence: Correlate threat infrastructure with internal logs, enrich existing threat data, and provide broader context for analysis.
  • Inform Threat Hunting Activities Use the Threat Dataset as a starting point for advanced hunts to track down clusters of potentially related malicious assets.
  • Validate Security Controls - Continuously update existing security controls (firewalls, proxies, intrusion prevention systems) against the threat infrastructure to identify gaps in coverage.
  • Automate Alerts and Correlation Configure security tools (SIEM, EDR, etc.) to generate alerts based on webhooks from your collections, enabling near real-time detection of potentially malicious activity within your environment.
  • Support Incident Response Efforts: During an active incident, leverage the current and historical threat data from a collection to quickly inform containment and remediation strategies.

Threat data information

The Censys threat research team identifies scan data attributes that are specific to malware families and develops and updates fingerprints for them. For some malware families, Censys creates and manages more advanced fingerprinting and analysis infrastructure, such as custom scanners for Cobalt Strike or scanning for URL endpoints that are affiliated with specific families.

To attribute malware to specific threat groups, Censys uses a data source called Malpedia that provides up-to-date articles about malware families and threat groups associated with those families.

Explore threats

Follow the steps below to begin exploring threats using an example workflow. You can explore threats by type, actor, and geography.

  1. Go to Explore in the Censys Platform.

  2. Use the dropdown menus at the top of the map to define the Threat Type, Threat Name, and Threat Group.

  3. The map populates the number of threats along with their geographical locations. When you select values from the threat dropdown menus, it refines the counts for each county and updates the map. For the example below, C2 Server, Cobalt Strike, and CopyKittens were selected.

  1. In the Country and Total Threats section, click on 861 to the right of China. This executes a query.

Understand results

The query results show hosts and web properties in China classified as C2 servers. These assets display traits of Cobalt Strike activity linked to CopyKittens and may be part of the same operation observed on the selected host or web property.

You can refine the query results using the filters on the left-side navigation. The Threat Hunting module provides an additional Threats filter.

Host card

The host card displays essential details such as IP address, network, location, and open services. For threat hunters, the most relevant insights are in the matched fields: the threat type (C2_SERVER), the malware used (Cobalt Strike), and the associated actor (CopyKittens). Three services 22/SSH, 80/HTTP, and 8081/HTTP are flagged as hosting the threat.

Host tabs

Scroll down to the tabs to learn more. Each tab provides info about the threat.

Services tab

The Services tab provides a detailed view of all services detected on a host, including protocol, port, and metadata like banners, headers, URIs, cryptographic details, known vulnerabilities, and the services linked to the threat type.

Each service record includes:

  • Port and Protocol: This example shows a service running on TCP port 22 using SSH.
  • Software: The SSH service is running OpenBSD OpenSSH 8.9p1.
  • Last Observed: Last seen on May 6, 2025, at 23:53 UTC, indicating recent visibility.
  • Host Key: Includes the algorithm ecdsa-sha2-nistp256 and fingerprint for identifying the SSH key used by the host.
  • Negotiated Settings: Lists the key exchange curve25519-sha256, symmetric ciphers aes128-ctr, and MACs hmac-sha2-256 used in the SSH handshake.
  • CVEs: Seven vulnerabilities are associated with this service.

Click Live Rescan to perform a fresh scan of the service. To learn more about Rescan, see Use Live Scan and Rescan to Validate Infrastructure.

Threats tab

The Threats tab provides context for a threat, such as Cobalt Strike. This includes metadata about the threat, related actors, threat type, tactics, and the services where Censys observed the behavior.

  • Names: In the example below, Cobalt Strike is the primary name, while the Names field lists all known aliases and names. This makes it easier to search and across different tools, regardless of the naming conventions they use.
  • Actors: Lists all actors known to use Cobalt Strike. Actors is the primary name, while the Actors Names field lists all known aliases and names. This makes it easier to search and across different tools, regardless of the naming conventions they use.
  • Threat Description: Provides a detailed description of the threat and a link to Malpedia for more information.
  • Services: At the bottom of the card, the Services where the threat was detected are listed. Each entry includes the protocol and port (HTTP 80/TCP), the timestamp of detection, and the confidence level assigned to the threat detection.

This card maps to the Threat object in the dataset. To learn more, see Threat Hunting Dataset.

Discover Pivots and Event History

These tabs are discussed in different docs. To learn what you can do with the Discover Pivots tab, see Use CensEye to Build Detections. To learn more about what you can do with the Event History tab, see Use Live Rescan and Discovery to Validate Infrastructure.

Search for Threat Types

Scroll down on the Explore Threats page to view threats, search for threats, and filter by Time Period or Count. To the right of threat type, you can view the trend based on the timeframe you selected.

The Hosts | Threats value indicates the number of hosts this threat has been detected on. In the screenshot below, 22 unique hosts are associated with the Cobalt Strike threat (within that timeframe?). If you click the value, 22, Censys executes a search for those hosts.

Threat details page

The Threat Details Page provides a comprehensive view of a single threat tracked by Censys. It aims to offer security professionals in-depth contextual information, enabling a deeper understanding of the threat's characteristics, associated actors, and historical activity.

To learn more about the threat object, see Threat Hunting Dataset.

Threat Activity

The Threat Detail page provides a timeline that tracks Total Assets added over the past 30 days.

Add to My Collections allows you to create a collection to receive updates about added assets. It populates the search query for you.

View All Threat Assets executes a query that lists all threat assets associated with the threat type.

Updated 9 days ago