Threat Hunting

The Threat Hunting Module in the Censys Platform allows organizations to detect, analyze, and track adversary infrastructure with speed and precision. The module empowers users to validate threats in real time, surface hidden clusters of malicious assets, and pivot between current and historical indicators to accelerate investigations.

Platform threat hunting tools provide a structured, real-time view into global attacker behavior. Whether you are uncovering related assets, building custom detections, or tracking infrastructure changes over time, Censys provides the data and workflows to proactively defend against evolving threats.

The Threat Hunting Module includes:

  • Threat dataset: The threat dataset maps malware, threat actors, and tactics to services or endpoints running on exposed hosts and web properties. This data enables security teams to investigate and track malicious activity across the internet by identifying infrastructure used to distribute malware and that is associated with known threat actors.
  • Explore Threats page: Search and investigate malicious infrastructure enriched with metadata on malware families, threat actors, and tactics.
    • Build Collections for threats to receive alerts about new assets in near-real-time.
  • CensEye automated pivoting tool: Surface behavioral patterns and identify related infrastructure using similarity analysis across key asset attributes.
  • Live Rescan and Discovery: Instantly validate infrastructure behavior, detect configuration changes, and confirm asset persistence without waiting for Censys' scheduled scans.
  • Certificate History: The Certificate Timeline provides a visual history of when a certificate was presented on hosts and web properties. This visualization gives threat hunters historical context that simplifies the detection of patterns, trends, and anomalies that could signal malicious behavior.

Prerequisites

  • Organization must be on Enterprise tier.
  • Organization must purchase Threat Hunting Module.

Credit consumption

The table below provides information about features specific to Threat Hunting and their associated cost in credits.

📘

Note

Any core actions you perform (such as searching across hosts, certificates, web properties, and adding filters to your search results) consume credits. For more information, see Censys Credits.

FeatureCostDetails
CensEye5 credits per key-value pair returned in the CensEye run.CensEye performs analysis across a subset of fields with a high likelihood of being significant pivots in an investigation. Results vary per asset given the attributes present.
Live Discovery50 credits per port scannedUsers are not charged if the scan was rate-limited, returned an error, or was otherwise unable to be initiated.
Live Rescan30 credits per service rescannedUsers are not charged if the scan was rate limited, returned an error, or was otherwise unable to be initiated.
Cert Host History Visualization1 credit per visualized host/ web propertyUsers are charged credits for each unique host and web property the visualization displays within the specified date range.
Explore Threats PageVariesCore actions for credit consumption apply.
Threat Details Page5 creditsViewing the threat details page consumes 5 credits