Documentation
Start typing to search…

Explore Threats

The Explore Threats page provides threat hunters with a centralized view into internet-facing infrastructure linked to malware and threat actors to proactively detect and track adversary activity, uncover patterns, and reduce your organization's attack risk by identifying infrastructure early.

It combines interactive visualizations, curated threat profiles, and simplified filtering to help users to quickly identify identify relevant threats. You can review metadata describing a threat for context on affiliated attacks and actors on the Threat Detail page and track these threats in a Collection for real-time infrastructure updates.

Using the Explore Threats page, you can take several actions to strengthen your security posture and improve threat intelligence workflows:

  • Enrich Existing Threat Intelligence: Correlate threat infrastructure with internal logs, enrich existing threat data, and provide broader context for analysis.
  • Inform Threat Hunting Activities Use the Threat Dataset as a starting point for advanced hunts to track down clusters of potentially related malicious assets.
  • Validate Security Controls - Continuously update existing security controls (firewalls, proxies, intrusion prevention systems) against the threat infrastructure to identify gaps in coverage.
  • Automate Alerts and Correlation Configure security tools (SIEM, EDR, etc.) to generate alerts based on webhooks from your collections, enabling near real-time detection of potentially malicious activity within your environment.
  • Support Incident Response Efforts: During an active incident, leverage the current and historical threat data from a collection to quickly inform containment and remediation strategies.

Explore threats

Follow the steps below to begin exploring threats using an example workflow. You can explore threats by type, actor, and geography.

  1. Go to Explore Threats in the Censys Platform.
  2. Click the Threat Type dropdown to select a threat.
  1. Click the Threat Group dropdown to select a group. You can select multiple Threat Groups.
  1. The map populates the number of threats along with their geographical locations. This isolates the threat infrastructure and allows you to explore it.
  1. In the Country and Total Threats section, click on 18 to the right of China. This executes a query.

Understand results

The query results show all hosts and web properties in China identified as C2 servers. These servers are associated with malware previously used by FIN7 and are linked to the threat detected on the host or web property.

You can refine the query results using the filters on the left nav. The Threat Hunting module provides an additional Threats filter.

Host card

The host card provides basic information such as IP, location etc. In the example below, what most likely interests a threat hunter is the malware (Cobalt Strike), Matched Fields, and that a threat was detected on two services: 80/HTTP and 8010/HTTP.

Host tabs

Scroll down to the tabs to learn more. Each tab provides info about the threat.

Services tab

The Services tab provides a detailed view of all services detected on a host, including protocol, port, and metadata like banners, headers, URIs, and the services linked to the threat type.

Each service entry includes:

  • Port and Protocol: In the example below, the service is running on TCP port 8010 using HTTP, which is a common configuration for Cobalt Strike C2 servers trying to evade detection.
  • Last Observed: Last Seen on April 7, 2025, at 12:48 UTC. This indicates recent visibility and potential activity.
  • URI: The host was accessible via http://1.92.135.168:8010/ which is the root path / of the web service.
  • Status: The HTTP response code returned when the scanner tried to access the URI.
  • Path: Shows the portion of the URL that was requested; a / indicates that the service was accessed at the root level.

Click Live Rescan to perform a fresh scan of the service. To learn more about Rescan, see Use Live Scan and Rescan to Validate Infrastructure.


Threats tab

The Threats tab provides context for a threat, such as Cobalt Strike. This includes metadata about the threat, related actors, threat type, tactics, and the services where Censys observed the behavior.

In the example below, Cobalt Strike is the primary name, while the Names field lists all known aliases and names. This makes it easier to search and across different tools, regardless of the naming conventions they use.

The Actors field lists all actors known to use Cobalt Strike. Actors is the primary name, while the Actors Names field lists all known aliases and names. This makes it easier to search and across different tools, regardless of the naming conventions they use.

The Threat Description provides a detailed description of the threat and a link to Malpedia for more information.

At the bottom of the card, you’ll find the Services where the threat was detected. Each entry includes the protocol and port (HTTP 80/TCP), the timestamp of detection, and the confidence level assigned to the threat detection.

This card maps to the Threat object in the dataset. To learn more, see Threat Hunting Dataset.

Discover Pivots and Event History

These tabs are discussed in different docs. To learn what you can do with the Discover Pivots tab, see Use CensEye to Build Detections. To learn more about what you can do with the Event History tab, see Use Live Rescan and Discovery to Validate Infrastructure.

Search for Threat Types

Scroll down on the Explore Threats page to view threats, search for threats, and filter by Time Period or Count. To the right of threat type, you can view the trend based on the timeframe you selected.

The Hosts | Threats value indicates the number of hosts this threat has been detected on. In the screenshot below, 22 unique hosts are associated with the Cobalt Strike threat (within that timeframe?). If you click the value, 22, Censys executes a search for those hosts.

Threat details page

The Threat Details Page provides a comprehensive view of a single threat tracked by Censys. It aims to offer security professionals in-depth contextual information, enabling a deeper understanding of the threat's characteristics, associated actors, and historical activity.

To learn more about the threat object, see Threat Hunting Dataset.

Threat Activity

The Threat Detail page provides a timeline that tracks Total Assets added over the past 30 days.

Add to My Collections allows you to create a collection to receive updates about added assets. It populates the search query for you.

View All Threat Assets executes a query that lists all threat assets associated with the threat type.

Updated 4 days ago