Use Live Rescan and Discovery to Validate Infrastructure

Live Discovery, Live Rescan, and Event History help threat hunters validate infrastructure and track changes over time. This trio of features allow you to run fresh scans on specific ports or services, view side-by-side comparisons of scan results, and detect changes in behavior, configuration, or known vulnerabilities.

You can also explore historical relationships between hosts, web properties, and certificates to better understand infrastructure changes over time and support detection efforts based on historical attributes.

Threat hunters can use these tools to:

• Quickly validate persistence
• Identify new threats and vulnerabilities
• Track evolving infrastructure
• Monitor added/removed services

Threat hunters can understand how infrastructure evolves between scans, without waiting for Censys' scheduled scans.

Live Rescan

Live Rescan provides threat hunters with the ability to update and validate threat intelligence by scanning individual services or endpoints. It allows you to initiate a scan without waiting for the next scheduled Censys scan. A rescan shows the most current view of a host and assists you to identify persistent threats and newly surfaced malicious infrastructure.

Live Rescan enables threat hunters to: assists you with , hunters can confirm:

• Know if a threat is still active
• Discover new ports and endpoints that weren't visible on a host during earlier scans to discover emerging threats
• Compare current findings with previous results to identify changes and new threats

This functionality enhances your ability to track infrastructure changes and detect evolving attacker behavior while maintaining high-quality detections. Live Rescan adds speed and precision to investigations and ensures threat data reflects the current state of the internet.

📘

Note

Censys enforces global host rate limits to prevent overloading hosts during scans.

Use Live Rescan

Live Rescan can be executed on a service or endpoint on a host. It's also used on web properties, but comparison data is not available.

Follow the steps below to use Live Rescan:

1. Identify service or endpoint on a host that you want to rescan.

2. Click the Live Rescan button.

   

3. The scan may take a few minutes to complete.

   

4. After the scan completes, one of the following messages will appear.

   Message	Explanation
   Success - Results Found	Success - Results Found View Differences in Results
   Success - No Results Found	No service/endpoint identified
   Failure - Rate Limit	This service has been scanned too recently and is temporarily rate-limited. Please try again later.
   Failure - Other	Rescan could not be successfully conducted. Please try again later.

5. Click View Difference in Results after the scan completes.

6. You are redirected to the Event History tab. In the screenshot below, you see 97 Changes Found.

   The rescan comparison view displays a side-by-side snapshot of a service’s previous and current state. The left column shows the older scan. This provides you with a current snapshot of a service's state to confirm if it's still active and understand exactly what changed.

   The parallel view highlights changes in security-related data such as updated fingerprints, HTTP response bodies, or vulnerability status. It allows threat hunters confirm persistence, spot configuration changes, and identify newly introduced threats without waiting for the regular scan cycle.

   

Live Discovery

Allows you to check if a new service is active on a specific port of a host. Enter a port to scan for service changes on asset.

Allows on-demand scanning of specific ports on a host.
Useful when specific actor behaviors are suspected (e.g., always opens a certain port).

1. On a host, go to Live Discovery section in the upper-right corner. Click Live Discovery to open the scan field.

   

2. Enter a port in to the field and click Scan.

3. The scan may take a few minutes to complete.

   

4. After the scan completes, one of the following messages will appear.

   Message	Explanation
   Success - Results Found	Success - Results Found View Differences in Results
   Success - No Results Found	No service/endpoint identified
   Failure - Rate Limit	This service has been scanned too recently and is temporarily rate-limited. Please try again later.
   Failure - Other	Rescan could not be successfully conducted. Please try again later.

5. Click View Difference in Results after the scan completes.

6. In the example below, the earlier scan (left) detected multiple services on port 80. In the more recent scan (right), those services are no longer visible. This may indicate that the services were taken offline, blocked, or otherwise became unreachable.

   

Event History

The Event History tab on a host allow you to compare two events on a host from different points in time.

A timeline of scans on the host that shows observed ports, protocols, and timestamps. View historical hostprovides a snapshot of the services, software, and vulnerabilities detected during that scan. This can assist analysts to track how a host’s exposure changed over time and investigate emerging threats.

Compare two events

The Event History tab allows you to compare two events. To compare events:

1. Check the two hosts you want to compare.
2. Click Compare.

The compare view shows a side-by-side snapshot of two scans on the same host. The left column shows the older scan. These snapshots assist you to identify what changed over time.

• Red text indicates values present in the older scan that could be removed or modified in the newer instance.
• Green text indicates new data that wasn’t present before.
• Unchanged fields are displayed in neutral text for context.