Documentation
Start typing to search…

Threat Hunting

The Threat Hunting module is an add-on to the Censys Platform that allows organizations to detect, analyze, and track threat infrastructure with speed and precision. The threat dataset available within the module enriches assets with threat-specific data that provides additional context for investigations.

The module enables you to explore the threat dataset with structured tools, historical context, and workflows. These capabilities help you validate threats in real time and uncover hidden clusters of malicious assets. You can also pivot across current and historical data to identify shared traits across infrastructure.

The Threat Hunting module includes:

  • Threat dataset: The threat dataset maps malware, threat actors, and tactics to services or endpoints running on exposed hosts and web properties. This data enables you to investigate and track malicious activity across the internet. It helps identify infrastructure used to distribute malware and link it to known threat actors. The threat dataset also includes JA3, JA4, and JARM data. Threat data is presented on a centralized dashboard on the Explore Threats page (see below) and users with access to the Threat Hunting module can see threat data throughout the entire Platform UI. Threat data is also retrievable via the API.
  • Explore Threats page: Provides you with a centralized view into internet-facing infrastructure linked to malware and threat actors. Use interactive visualizations, curated threat profiles, and simplified filtering to quickly identify relevant threats.
  • CensEye automated pivoting tool: CensEye helps you identify web assets on the internet that share a specific key-value pair with the asset you are currently viewing. It extracts data values like HTTP headers, SSH banners, and TLS certificate information, then shows how many other assets present the same value. This allows you to pivot into related infrastructure and begin building queries based on shared characteristics. Once you identify related assets, you can group and monitor them using collections.
  • Live Rescan and Discovery: Run fresh scans on specific ports to view side-by-side comparisons of scan results. These comparisons help you to instantly validate infrastructure behavior, detect configuration changes, and confirm asset persistence without waiting for scheduled Censys scans.
  • Certificate history: The Certificate Timeline provides a visual history of when a certificate presented itself on hosts and web properties. This visualization gives you historical context that simplifies the detection of patterns, trends, and anomalies that could signal malicious behavior.

Video overview

Prerequisites

  • Organization must be on Enterprise tier.
  • Organization must purchase Threat Hunting module.

Credit consumption

Actions taken in the Threat Hunting module or that target Threat Hunting data within the Platform UI do not deduct from your organization's credit balance.

Updated 4 days ago