Use CensEye to Build Detections
Use CensEye to discover related infrastructure and potential threat indicators across the internet by identifying shared traits between exposed hosts. CensEye extracts key-value pairs from a host, such as HTTP headers, SSH banners, and TLS certificates, to identify traits that uniquely describe the asset. These values are used to find other assets with similar traits, allowing you to pivot across related infrastructure that may indicate shared tooling or threat actor activity.
For example, if a host returns a unique SSH banner or presents a distinct HTTP header, CensEye captures those as fingerprints. It then searches the Censys Internet Map to discover assets with a matching attributes. This can uncover related infrastructure that shares deployment tools, malware frameworks, or operational patterns. These connections can reveal clusters of malicious activity, identify infrastructure linked to a known threat actor, or detect staging servers with similar configurations.
Once you identify related assets, you can group and monitor them using Collections. Collections enable you to track threat-related infrastructure over time. and by pairing them with webhooks, you can stay ahead of adversary changes and respond quickly to new threats.
You can then use Collections to group and monitor threat-related assets over time. By pairing collections with webhooks, you can stay ahead of adversary infrastructure changes and respond quickly to new threats.
Use CensEye
- Go to a host associated with a known threat.
- Scroll down to the Discover Pivots tab.

-
Click Run CensEye.
-
Review the extracted key-value pairs.
CensEye returns key-value pairs on this host and identifies other assets with matching attributes. In the screenshot below, the number to the left shows how many internet-facing assets share the same attribute.
This data can be used to pivot from one malicious host to a broader set of related infrastructure that share the same attribute. You can track patterns across assets with similar characteristics and investigate the assets to determine shared usage or intent.

- Click 🔍 to the right of the key-value pair to execute a search.
Using the example above, a search is executed for a certificate hash:host.services.endpoints.http.body_hash_sha256
. - CensEye returns the 48 assets. Filter the data to isolate the most relevant infrastructure. In the left-hand nav, the Threats filter shows that 3 of these assets are associated with Viper malware. Or, you might look for unusual port numbers. This is where your threat hunting skills lead you forward.

This example is truncated.
Use CensEye to accelerate Threat Hunting
Using CensEye in a threat hunting context helps organizations scale their security operations by making it easier to explore internet-facing assets that share key-value pairs with a known infected host or service. CensEye summarizes insights by sorting the data by key-value pairs. You can then run a query by clicking 🔍 to return all the hosts that have the attribute.
Previously, you had to use the Raw Data tab to view key-value pairs. A single host might expose 50 or more pairs, which can take some time to search through. Many of attributes return a large number (50k+) of assets when searched which isn't very actionable. This form of exploration isn't cost effective in terms of time and credit consumption.
Collections
Use Collections to track changes and receive alerts about a group of threat-related assets. This helps you to proactively monitor evolving infrastructure and keep your IP blocklists current.
For example, you receive an alert that a new asset has surfaced with a key-value pair you are tracking. It matches a known adversary fingerprint you are tracking. You investigate the the asset the surrounding infrastructure and build new fingerprints to proactively identify and block related assets.
After you create a collection, you can create a webhook to receive trigger-based updates when new assets are added to or removed from your collection. Webhooks deliver Censys data to various applications, enabling users to monitor events and take action as needed.
Updated 3 days ago