Documentation
Start typing to search…

Threat Hunting

The Threat Hunting module is an add-on to the Censys Platform that allows organizations to detect, analyze, and track threat infrastructure with speed and precision. The threat dataset available within the module enriches existing host and web property records with threat-specific data that provide additional context for investigations.

The module enables you to explore the threat dataset with structured tools, historical context, and workflows. These capabilities help users validate threats in real time and uncover hidden clusters of malicious assets. Users can also pivot across current and historical data to identify shared traits across infrastructure.

The Threat Hunting module includes:

  • Threat dataset: The threat dataset maps malware, threat actors, and tactics to services or endpoints running on exposed hosts and web properties. This data enables security teams to investigate and track malicious activity across the internet. It helps identify infrastructure used to distribute malware and link it to known threat actors. The threat dataset also includes JA3, JA4, and JARM data.
  • Explore Threats page: Provides threat hunters with a centralized view into internet-facing infrastructure linked to malware and threat actors. Use interactive visualizations, curated threat profiles, and simplified filtering to quickly identify relevant threats.
  • CensEye automated pivoting tool: Extracts key-value pairs from a host, such as HTTP headers, SSH banners, and TLS certificates, to identify traits that describe the asset. Use these values to identify other assets with similar traits and pivot across related infrastructure that may indicate shared tooling or threat actor activity. Once you identify related assets, you can group and monitor them using collections.
  • Live Rescan and Discovery: Run fresh scans on specific ports or services to view side-by-side comparisons of scan results. These comparisons help you to instantly validate infrastructure behavior, detect configuration changes, and confirm asset persistence without waiting for Censys' scheduled scans.
  • Certificate history: The Certificate Timeline provides a visual history of when a certificate presented itself on hosts and web properties. This visualization gives threat hunters historical context that simplifies the detection of patterns, trends, and anomalies that could signal malicious behavior.

Prerequisites

  • Organization must be on Enterprise tier.
  • Organization must purchase Threat Hunting module.

Credit consumption

Actions taken in the Threat Hunting module within the Platform UI do not deduct from your organization's credit balance.

Updated 2 days ago