Censys maintains three datasets through daily ZMap scans of the Internet and by synchronizing with public certificate transparency logs:

• Hosts on the Public IPv4 Address Space
• Websites in the Alexa Top Million Domains
• X.509 Certificates

You can search for records that meet certain criteria (e.g., IPv4 hosts in Germany manufactured by Siemens, or browser trusted certificates for github.com), generate reports on how websites are configured (e.g., what cipher suites are chosen by popular websites?), and track how networks have patched over time.

We also post all of our raw data, provide programmatic access through a REST API, and publish reports on protocol deployment and the supporting PKI.

Simple Search

If you simply search for a word or phrase, Censys will return any records that contain the phrase. For example, searching for nginx will return any records that contain the word nginx. Searching for 23.0.0.0/8 will return all hosts in that network. Check out some of our example searches.

Advanced Search

Censys data is structured and supports more advanced queries including searching specific fields, specifying ranges of values, and boolean logic. For example, you can search for hosts with the HTTP Server Header "Apache" in Germany by running the query 80.http.get.headers.server: Apache and location.country_code: DE. [more information]

SQL Interface

To facilitate complex questions that can't be expressed in a single search, we also allow researchers to run SQL queries against the raw datasets and historical snapshots. [more information]

By default, Censys performs full-text searches. For example, searching for Dell will find any hosts where the word Dell appears in the record—it won't limit the search to Dell manufactured devices. However, this is possible by querying specific fields using the follow syntax:

Specifying Fields

Censys records are structured and allow querying specific fields. For example, you can search for all hosts with a specific HTTP status code with the following query: 80.http.get.status_code: 200. You can view a list of defined fields under the Data Definitions tab or by looking at the details of a host. For example, here are the fields for the Censys certificate.

Boolean Logic

You can compose multiple statements using the terms and, or, not, and parentheses. For example, ("Schneider Electric" or Dell) and 23.20.0.0/14. By default, all included terms are optional (i.e., executed as an or statement).

Ranges

You can search for ranges of numbers using [ and ] for inclusive ranges and { and } for exclusive ranges. For example, 80.http.get.status_code:[200 TO 300]. Dates should be formatted using the following syntax: [2012-01-01 TO 2012-12-31]. One sided limits can also be specified: [2012-01-01 TO *]. Warning! The TO operator must be capitalized.

Wildcards and Regular Expressions

By default, Censys searches for complete words. In other words, the search Del will not return records that contain the word Dell. Wildcard searches can be run on individual terms, using ? to replace a single character, and * to replace zero or more characters. For example, if you want to search for words that start with Del, you would search for Del*.

You can also search using regular expressions, e.g., metadata.manufacturer:/De[ll]/. The full regex syntax is available here.

Boosting

The boost operator (^) can be used to make one term more relevant than another. For example, metadata.manufacturer: Dell^2 OR "Schneider Electric" places more preference on the Dell keyword.

Reserved Characters

The following characters must be escaped with a backslash: + - = && || > < ! ( ) { } [ ] ^ " ~ * ? : \ /.

Below are a series of example queries:

Below are the fields defined in the index.