Host Reputation
In the Censys Platform, hosts are assigned a reputation score. This score enables you to prioritize alerts with IP indicators faster and perform triage and analysis more effectively with a transparent and consistent scoring methodology.
An example host and its reputation score shown in the Platform UI.
Reputation scores and their attendant data are only available to Censys Enterprise users. Additional score context data is available to Censys Enterprise users with access to the Threat Hunting module.
Host reputation is a beta feature that is available to a select group of customers.
Score details and data
Hosts are assigned a score ranging from 0 (benign) to 100 (malicious). This score is visible on host preview and detail cards in the Platform web UI and is present in the host.reputation data object for searching across in the UI or API.
Ranges for each reputation score level are described below.
| Score | Level |
|---|---|
| 0-20 | Benign |
| 21-40 | Low Risk |
| 41-60 | Medium Risk |
| 61-80 | High Risk |
| 81-100 | Malicious |
How reputation scores are determined
Reputation scores are determined based on the following criteria. Each category is weighted differently.
Category | Description |
|---|---|
Command and control (C2) and offensive tooling infrastructure | Whether tools associated with C2 or offensive operations were detected on a host. This is one of the strongest indicators of malicious intent in Censys methodology. Examples include hosts running known malicious tools like AsyncRAT, Cobalt Strike, and so on. |
Phishing, impersonation, and deceptive infrastructure | Represents infrastructure used for user deception or impersonation. This strongly influences a host's reputation score. Examples include hosts running Gophish and fake captcha services. |
Network infrastructure | Indicates infrastructure that tolerates or enables persistent malicious activity. This is a structural signal but is not determinative on its own. Examples include hosts associated with "bulletproof" hosting services. |
Anonymization infrastructure | Provides contextual information about traffic obfuscation or identity masking. This signal does not imply malicious intent in isolation and is weighted lower in Censys methodology. Examples include hosts that function as VPN or Tor nodes, proxies, or relays. |
If multiple criteria are present on a host, then its reputation score will be higher.
Reputation score in the UI
A host's reputation score is shown on search result cards and on the host details page.
Reputation scores on host preview cards.
On host detail cards, click the Reputation tab to see additional detail about the asset's score, including the evidence categories used to determine the host's score and the host data associated with each category.
The JSON view of evidence for the command and control category on an example host.
Reputation score data
Reputation score data can be searched across in the UI or retrieved via API by targeting the host.reputation object. Note that score values are floating integers containing up to three decimal places. A reputation score of 81 in the UI is represented in the data as 0.81.
The following table describes which data fields are available to different user entitlement levels.
| Data group | Enterprise | Enterprise with Threat Hunting module |
|---|---|---|
Reputation score and level (host.reputation.score and host.reputation.score.level) | Yes | Yes |
Category scores (host.reputation.evidence.evidence_score) | Yes | Yes |
Evidence summary (host.reputation.evidence.category) | Yes | Yes |
Full evidence (including nested host.reputation.evidence.threats data) | No | Yes |
Historical reputation score data
Historical reputation score data is not available. On historical hosts, the reputation score shown in the raw data is the reputation score based on the most recent scan data. It is not reflective of the reputation score of the host at a particular point in time.
Updated about 7 hours ago