Censys Internet Host Search

Search the Censys internet intelligence platform for internet-connected hosts and devices directly from Apify. Query by IP address, domain name, open service, TLS certificate, geolocation, autonomous system, or any combination of Censys search attributes. Returns structured data including open ports, running services, geolocation with GPS coordinates, AS information, OS fingerprints, and reverse DNS records -- all ready for export to JSON, CSV, Excel, or downstream pipelines.

Censys continuously scans the entire public IPv4 address space and indexes every reachable host. This actor wraps the Censys Search 2.0 API into a cloud-ready automation tool with pagination, error handling, and a dry-run demo mode that works without credentials. The free Censys tier provides 250 queries per month -- more than enough for security monitoring, asset discovery, and infrastructure research.

---

Why use Censys Internet Host Search

Running Censys searches through Apify gives you capabilities that calling the raw API cannot match:

• Scheduled monitoring -- Set up recurring scans to track your attack surface on a daily or weekly cadence using Apify's built-in scheduler. Detect newly exposed services before attackers do.
• Zero infrastructure -- No servers, cron jobs, or deployment pipelines to maintain. The actor runs in Apify's managed cloud and handles authentication, pagination, and rate limit errors.
• Pipeline-ready output -- Feed results directly into webhooks, Google Sheets, Slack alerts, or downstream Apify actors. The structured JSON output works cleanly in spreadsheets, databases, and BI tools.
• Clean data transformation -- The raw Censys API response is normalized into a flat, consistent schema. Services are extracted into arrays, locations include coordinates, and every result gets a direct Censys link.
• Built-in dry-run mode -- Test the full integration workflow without providing API credentials. The actor returns a realistic sample result so you can validate your downstream pipeline before connecting real data.
• Cost efficiency -- Minimal compute footprint means hundreds of runs fit within Apify's free tier. Combined with Censys's free 250 queries per month, you can run a meaningful security monitoring program at zero cost.

---

Key features

• Full Censys query language -- Use the same powerful query syntax available on the Censys web interface, including boolean operators (AND, OR, NOT), field-specific filters, IP ranges, and wildcard matching.
• Automatic cursor-based pagination -- The actor handles multi-page result fetching behind the scenes, collecting up to 100 hosts per run across multiple API calls of 25 results each.
• Rich host intelligence -- Every result includes IP address, open services with port numbers and transport protocols, geolocation with country, city, and GPS coordinates, autonomous system (ASN) details, detected operating system, and reverse DNS hostnames.
• Direct Censys links -- Each result includes a clickable URL to the full host profile on Censys for deep-dive investigation of services, certificates, and historical scan data.
• Dry-run demo mode -- Runs without API credentials and returns a sample host result, letting you test integrations before committing to an API key.
• Robust error handling -- Clear, actionable error messages for 401/403 authentication failures, 429 rate limit exceeded, invalid queries, and empty result sets.
• Run summary logging -- After each run, the actor logs the top 10 most common ports and top 5 countries found across all results, giving you an instant overview of the data.
• Configurable result limits -- Control exactly how many hosts to fetch (1 to 100) to balance thoroughness against Censys API quota consumption.
• Minimal resource usage -- Runs on 256 MB memory and typically completes in under 30 seconds, keeping Apify platform costs near zero.

---

How to use

Apify Console

1. Navigate to the Censys Internet Host Search actor page on Apify.
2. Click Try for free to open the actor in the Apify Console.
3. Enter your Censys search query in the Search Query field (e.g., services.service_name: HTTP AND location.country: US).
4. Provide your Censys API ID and Censys API Secret. If you do not have them, register for free at censys.io/register. Without credentials, the actor runs in dry-run demo mode.
5. Set Max Results to the number of hosts you want (1--100, default 25).
6. Click Start and wait for the run to complete.
7. View results in the Dataset tab. Export as JSON, CSV, or Excel, or access via the Apify API.

Apify API

Trigger the actor programmatically by sending a POST request:

curl -X POST "https://api.apify.com/v2/acts/ryanclinton~censys-search/runs?token=YOUR_APIFY_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "query": "services.service_name: HTTP AND location.country: US",
    "apiId": "YOUR_CENSYS_API_ID",
    "apiSecret": "YOUR_CENSYS_API_SECRET",
    "maxResults": 50
  }'

---

Input parameters

Parameter	Type	Required	Default	Description
query	string	Yes	--	Censys search query using full Censys query syntax. Supports boolean operators (AND, OR, NOT), field-specific filters, IP ranges, and wildcards.
apiId	string	No	--	Your Censys API ID. Register free at censys.io/register. Without this, a dry-run demo result is returned.
apiSecret	string	No	--	Your Censys API Secret. Required alongside API ID for real results.
maxResults	integer	No	25	Maximum number of host results to return. Range: 1--100. Each page of 25 results consumes one API query from your Censys quota.

Example input (JSON)

{
    "query": "services.port: 443 AND autonomous_system.name: AMAZON",
    "apiId": "YOUR_CENSYS_API_ID",
    "apiSecret": "YOUR_CENSYS_API_SECRET",
    "maxResults": 50
}

Query syntax tips

• Filter by service: services.service_name: HTTP, services.service_name: SSH, services.service_name: MONGODB
• Filter by port: services.port: 22, services.port: 8080
• Filter by location: location.country: United States, location.country_code: GB
• Filter by IP: ip: 8.8.8.8, ip: 192.168.0.0/16
• Filter by certificate: services.tls.certificates.leaf_data.subject.common_name: example.com
• Filter by ASN: autonomous_system.asn: 15169, autonomous_system.name: GOOGLE
• Combine filters: services.service_name: HTTP AND location.country_code: DE AND NOT services.tls
• Negate: NOT services.service_name: SSH

---

Output

Each host in the output dataset contains the following structured data:

{
    "ip": "93.184.216.34",
    "services": [
        {
            "port": 80,
            "serviceName": "HTTP",
            "transportProtocol": "TCP"
        },
        {
            "port": 443,
            "serviceName": "HTTPS",
            "transportProtocol": "TCP"
        }
    ],
    "location": {
        "country": "United States",
        "countryCode": "US",
        "city": "Norwell",
        "coordinates": {
            "latitude": 42.1596,
            "longitude": -70.8168
        }
    },
    "autonomousSystem": {
        "asn": 15133,
        "name": "EDGECAST",
        "bgpPrefix": "93.184.216.0/24"
    },
    "operatingSystem": "Linux",
    "reverseDns": [
        "example.com"
    ],
    "lastUpdatedAt": "2025-12-15T08:30:00.000Z",
    "censysUrl": "https://search.censys.io/hosts/93.184.216.34",
    "extractedAt": "2026-02-10T14:22:33.456Z"
}

Output fields reference

Field	Type	Description
ip	string	The IPv4 address of the discovered host
services	array	List of open services, each with port (number), serviceName (string), and transportProtocol (TCP/UDP)
location	object	Geographic location with country, countryCode, city, and coordinates containing latitude and longitude
autonomousSystem	object	Network information with asn (AS number), name (network operator), and bgpPrefix (IP block)
operatingSystem	string	Detected operating system (e.g., "Linux", "Windows Server 2019 Standard")
reverseDns	array	Reverse DNS hostnames associated with the IP address
lastUpdatedAt	string	When Censys last scanned this host (ISO 8601 timestamp)
censysUrl	string	Direct link to the full host profile on Censys for deep investigation
extractedAt	string	When the actor extracted this result (ISO 8601 timestamp)

---

Use cases

• Attack surface management -- Continuously monitor your organization's public-facing IP ranges for newly exposed services, unexpected open ports, or misconfigured hosts. Schedule weekly scans to track changes.
• Shadow IT detection -- Search for hosts running services within your corporate ASN that are not part of the known asset inventory. Find unauthorized servers, forgotten test instances, or developer machines exposed to the internet.
• Certificate inventory -- Search for all hosts presenting TLS certificates issued to your domain. Identify expired, misconfigured, or unauthorized certificates across your infrastructure.
• Vulnerability triage -- Find hosts running specific software versions known to have vulnerabilities. Search for outdated services like old SSH implementations, unpatched web servers, or databases exposed without authentication.
• Competitive intelligence -- Map a competitor's public infrastructure by querying their domain name or autonomous system. Understand their hosting providers, geographic distribution, and technology stack.
• Supply chain risk assessment -- Investigate the internet-facing infrastructure of vendors and partners. Check for exposed services, weak TLS configurations, or geographically unexpected hosting.
• Security research -- Study the prevalence of specific protocols, services, or configurations across the internet. Analyze global adoption of encryption standards, identify honeypots, or track botnet infrastructure.
• Incident response -- During a security incident, quickly look up suspicious IP addresses to understand what services they run, where they are located, and what network they belong to.
• Compliance auditing -- Verify that hosts in regulated environments are not exposing prohibited services. Confirm that servers are located in approved geographic regions and are running required security configurations.
• IoT device discovery -- Search for internet-connected IoT devices by their characteristic service fingerprints, open ports, or HTTP banners. Map the exposure of specific device types across networks or regions.

---

API and integration

Python

from apify_client import ApifyClient

client = ApifyClient("YOUR_APIFY_TOKEN")

run = client.actor("ryanclinton/censys-search").call(run_input={
    "query": "services.service_name: HTTP AND location.country_code: US",
    "apiId": "YOUR_CENSYS_API_ID",
    "apiSecret": "YOUR_CENSYS_API_SECRET",
    "maxResults": 50,
})

dataset = client.dataset(run["defaultDatasetId"])
for item in dataset.iterate_items():
    print(f"{item['ip']} -- {len(item['services'])} services -- {item['location']['country']}")

JavaScript / Node.js

import { ApifyClient } from 'apify-client';

const client = new ApifyClient({ token: 'YOUR_APIFY_TOKEN' });

const run = await client.actor('ryanclinton/censys-search').call({
    query: 'services.port: 22 AND autonomous_system.name: AMAZON',
    apiId: 'YOUR_CENSYS_API_ID',
    apiSecret: 'YOUR_CENSYS_API_SECRET',
    maxResults: 25,
});

const { items } = await client.dataset(run.defaultDatasetId).listItems();
items.forEach(host => {
    console.log(`${host.ip} -- ${host.services.map(s => `${s.port}/${s.serviceName}`).join(', ')}`);
});

cURL

# Start a run
curl -X POST "https://api.apify.com/v2/acts/ryanclinton~censys-search/runs?token=YOUR_APIFY_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "query": "ip: 8.8.8.8",
    "apiId": "YOUR_CENSYS_API_ID",
    "apiSecret": "YOUR_CENSYS_API_SECRET",
    "maxResults": 10
  }'

# Fetch results from the dataset (replace DATASET_ID from run response)
curl "https://api.apify.com/v2/datasets/DATASET_ID/items?token=YOUR_APIFY_TOKEN&format=json"

Integrations

Connect Censys search results to your existing tools:

• Google Sheets -- Export host data automatically to spreadsheets for tracking and reporting.
• Slack / Microsoft Teams -- Send webhook notifications when new hosts or unexpected services are discovered.
• Webhooks -- Trigger custom endpoints with results for SIEM ingestion, ticketing systems, or asset databases.
• Zapier / Make -- Build no-code workflows that react to Censys findings.
• Other Apify actors -- Chain with DNS Record Lookup, SSL Certificate Search, or NVD CVE Vulnerability Search for multi-layered analysis.

---

How it works

+-----------------+     +------------------+     +-----------------+
|   Apify Input   | --> |   Credential     | --> |  Censys API v2  |
|  (query, auth,  |     |   Check          |     |  POST /hosts/   |
|   maxResults)   |     |  (dry-run if     |     |  search         |
|                 |     |   missing)       |     |  (Basic Auth)   |
+-----------------+     +------------------+     +-----------------+
                                                        |
                                                        v
                        +------------------+     +-----------------+
                        |   Transform &    | <-- |  Cursor-based   |
                        |   Normalize      |     |  Pagination     |
                        |   (per host)     |     |  (25 per page)  |
                        +------------------+     +-----------------+
                                |
                                v
                        +------------------+
                        |  Push to Apify   |
                        |  Dataset + Log   |
                        |  Summary Stats   |
                        +------------------+

1. Input validation -- The actor reads the search query, API credentials, and maxResults from the Apify input. If the query is missing, execution fails immediately with a clear error.
2. Credential check -- If API ID or API Secret is missing, the actor enters dry-run mode and pushes a single demo result to the dataset, then exits. This lets you test your pipeline without real credentials.
3. API authentication -- Credentials are encoded as a Base64 Basic Auth header (apiId:apiSecret) for the Censys Search v2 API.
4. Search request -- The actor sends a POST request to https://search.censys.io/api/v2/hosts/search with the query and page size in the JSON body.
5. Pagination loop -- Censys returns up to 25 hosts per page along with a cursor token. The actor follows cursor tokens to fetch additional pages until it reaches maxResults or exhausts available results.
6. Data transformation -- Each raw Censys host record is normalized into a clean output schema. Services are extracted into port/name/protocol arrays, locations include structured coordinates, and the autonomous system is flattened.
7. Dataset push -- Transformed host records are pushed to the Apify dataset one at a time, making them immediately available for export.
8. Summary logging -- The actor logs the total host count, the top 10 most common ports, and the top 5 countries across all results for a quick overview.

---

Performance and cost

Metric	Value
Memory	256 MB
Typical run time	5--30 seconds
Results per page	25 (Censys API limit)
Max results per run	100
API calls per run	1--4 (depending on maxResults)
Apify compute cost	~$0.001 per run (25 results)
Censys free tier	250 queries/month
Censys queries used	1 per 25 results (ceil(maxResults / 25))

Cost example: Fetching 50 hosts uses 2 Censys API queries and costs approximately $0.002 in Apify compute. Running this daily for a month uses 60 Censys queries (well within the free 250) and about $0.06 in Apify compute.

---

Limitations

• Censys free tier cap -- The free tier limits you to 250 API queries per month and 100 results per query. Each page of 25 results counts as one query. For higher volumes, upgrade to a paid Censys plan.
• IPv4 only -- Censys primarily indexes the IPv4 address space. IPv6 coverage is limited and may not return comprehensive results for IPv6-only hosts.
• Scan freshness -- Censys rescans most hosts every few days, but scan frequency varies. The lastUpdatedAt field shows when each host was last observed. Some hosts may have stale data if they have not been rescanned recently.
• No raw banner data -- The actor extracts structured service metadata (port, name, protocol) but does not include raw service banners, full certificate chains, or HTTP response bodies. Use the Censys web interface for that level of detail.
• 100 result maximum -- Each run can return at most 100 hosts due to Censys free tier pagination limits. For bulk data needs, consider the Censys data downloads or enterprise API.
• Rate limiting -- Exceeding the Censys query quota results in a 429 error. The actor does not automatically retry or queue requests -- you must wait for your quota to reset or reduce query frequency.
• No historical data -- The actor queries the current Censys index only. It does not access historical snapshots or show how a host's services have changed over time.

---

Responsible use

• Respect network boundaries -- Use Censys data for legitimate security research, asset management, and authorized testing only. Do not use discovered host information to conduct unauthorized scanning, exploitation, or attacks against systems you do not own or have permission to test.
• Protect sensitive findings -- If your search reveals exposed databases, unprotected admin panels, or other security-sensitive configurations, follow responsible disclosure practices. Notify the affected organization before publishing findings.
• Comply with Censys terms -- Your use of the Censys API is governed by the Censys Terms of Service. Ensure your queries and usage patterns comply with their acceptable use policy. Do not attempt to circumvent rate limits or access restrictions.
• Handle data responsibly -- Search results may contain information that identifies network infrastructure, geographic locations, and hosting providers. Store and share this data in accordance with applicable data protection regulations and your organization's security policies.
• Rate limit awareness -- Design your automation to stay within your Censys quota. Avoid unnecessary or duplicate queries. Use specific, targeted searches rather than broad sweeps to minimize API consumption.

---

FAQ

Do I need a Censys account to use this actor? You can run the actor without credentials to get a dry-run demo result for testing your integration pipeline. For real internet host data, you need a free Censys account from censys.io/register.

How do I get my Censys API credentials? Register at censys.io/register, then go to your account settings and navigate to the API section. Your API ID and API Secret are displayed there. Copy both values into the actor's input fields.

How many results can I get per run? Up to 100 hosts per run. The actor's maxResults parameter controls this (default 25). Each page of 25 results consumes one query from your Censys monthly quota of 250.

What query syntax does Censys support? Censys uses a structured query language with field-specific filters. Common patterns include services.service_name: HTTP, location.country_code: US, services.port: 443, autonomous_system.asn: 15169, and ip: 8.8.8.8. Combine filters with AND, OR, and NOT. See the Censys search documentation for the full reference.

How often is the Censys database updated? Censys continuously scans the internet. Most hosts are rescanned every few days, though frequency varies based on the host and protocol. Each result includes a lastUpdatedAt timestamp showing when Censys last observed that host.

What happens when I exceed the Censys rate limit? The actor returns a clear error message stating the rate limit was exceeded (HTTP 429). The free tier resets monthly. You can either wait for the reset, reduce your query frequency, or upgrade to a paid Censys plan for higher limits.

Can I search for specific vulnerabilities? Censys indexes service and software information but is not a vulnerability database. For CVE-specific searching, use the NVD CVE Vulnerability Search actor. You can combine both -- use Censys to find hosts running specific software, then check NVD for known vulnerabilities in those versions.

What is dry-run mode? When you run the actor without providing API credentials, it returns a single realistic-looking sample result with a _dryRun: true flag. This lets you test downstream integrations (webhooks, data pipelines, export formats) without using any Censys API quota.

Can I search for hosts by domain name? Yes. Use the certificate subject field to find hosts with TLS certificates for a domain: services.tls.certificates.leaf_data.subject.common_name: example.com. You can also search reverse DNS records indirectly by querying related IP ranges or autonomous systems.

How do I schedule recurring searches? In the Apify Console, open the actor's page and click Schedule. Configure a cron expression (e.g., daily at 6 AM UTC) and provide your input parameters. Apify will run the actor automatically on your schedule and store results in a new dataset for each run.

Is the data real-time? No. Censys data reflects the most recent scan of each host, which may be hours or days old. The lastUpdatedAt field tells you exactly when each host was last scanned. For real-time port scanning, you would need to run your own Nmap scans (with proper authorization).

Can I export results to CSV or Excel? Yes. After a run completes, go to the Dataset tab in the Apify Console and click the export button. Choose JSON, CSV, XML, or Excel format. You can also access the dataset via the Apify API with a format=csv or format=xlsx query parameter.

---

Related actors

Actor	Description	Use with Censys
SSL Certificate Search (crt.sh)	Search Certificate Transparency logs for SSL/TLS certificates issued to any domain	Find certificates for a domain, then use Censys to locate all hosts serving those certificates
DNS Record Lookup	Look up A, AAAA, MX, CNAME, TXT, and NS records for any domain	Resolve domain IPs with DNS, then search those IPs in Censys for full service enumeration
NVD CVE Vulnerability Search	Search the NIST National Vulnerability Database for CVEs by keyword, software, or severity	Identify software versions on Censys hosts, then check NVD for known vulnerabilities in those versions
IP Geolocation Lookup	Get detailed geolocation data for any IP address including ISP, organization, and timezone	Cross-reference Censys host locations with detailed geolocation data for richer infrastructure mapping
CISA KEV Catalog	Search CISA's Known Exploited Vulnerabilities catalog for actively exploited CVEs	After finding exposed services with Censys, check CISA KEV for vulnerabilities that are actively being exploited in the wild
OpenSanctions Search	Search global sanctions, PEP, and watchlist databases	Investigate the ownership or association of network infrastructure with sanctioned entities