![Fixxx](https://pic-cc.com/data/avatars/m/0/110.jpg?1710675581"){kind=avatar}
- Joined
- 31.10.19
- Messages
- 1,178
- Reaction score
- 3,115
- Points
- 113
The third part of the comparative review examines two relatively new tools that have already gained attention - Netlas and Criminal IP. These platforms emerged in the market in 2022 and offered a fresh perspective on OSINT tasks, external infrastructure monitoring and cyber threat analysis. Netlas focuses on domain names, consistent data freshness and ease of monitoring, positioning itself as a tool for External Attack Surface Management. Criminal IP, on the other hand, combines the functions of an internet scanner with cyber intelligence capabilities, including automatic phishing site analysis, IP risk assessment and image search. This section provides a detailed examination of the architecture and features of these services, examples of their use and an assessment of their role as complements to more well-known solutions like Shodan, Censys and FOFA.
Netlas is a relatively young (founded in 2022) search engine for network assets developed by a team from Eastern Europe. It stands out with several interesting approaches: it indexes not only IP addresses but also domain names, striving to ensure consistent data relevance across all services. Netlas is positioned as a tool for External Attack Surface Management (EASM) - in addition to searching, the service offers monitoring and private scanning functions on demand, focusing on companies needs to track their external infrastructure.
Netlas's public scanners regularly survey up to 146 ports on each IP (141 TCP and 5 UDP). This is fewer than Shodan or ZoomEye, but Netlas compensates with a focus on the most significant services. This list includes all standard web ports (80, 443, 8080, 8443), mail protocols (25, 587, 465, 110, 995), database ports (27017, 3306, 5432, etc.), VPN (1194, 500, 1701...), industrial protocols (102, 502) and other popular services. A complete list is published in the Netlas documentation. The Private Scanner - a separate feature for clients, can scan an extended list (~1300 ports) upon request, bringing coverage closer to ZoomEye. The main distinction of Netlas is that it scans all selected ports uniformly. If a host is included in the current scan, its information for all 146 ports is updated immediately, regardless of their popularity. This prevents the situation typical of Shodan/FOFA, where one IP has port 80 updated yesterday, while port 8080 was updated a month ago (and the banner may be outdated). Netlas believes that data "freshness" should be consistent across a host. Netlas indexes domain names alongside IPs. When discovering a web service, Netlas records all domains/subdomains found in its certificates or banners and maintains a separate DNS index. This makes Netlas very strong in searching for domain names and related records. Searches can be conducted by domain pattern (domain:"*.example.com"), by DNS content (e.g., dns.txt:"v=spf1 include:mailgun.org" to find all domains whose SPF records point to Mailgun), or by SSL certificate properties (cert.subject.CN="example.com"). This emphasis on DNS yields an interesting effect: Netlas finds significantly more unique web resources. In tests, the number of records for ports 80/443 in Netlas was several times higher than that of competitors - due to the consideration of virtual hosts and domain aliases. For example, Netlas counts ~344 million services on port 80, while FOFA has ~66 million and Shodan ~145 million. However, if only unique IPv4 addresses are counted, the difference is not as dramatic: Netlas discovers ~44 million active IPv4 with port 80, which is close to Censys (~51 million). This means Netlas includes many DNS names pointing to the same IP (which can be both useful and excessive - depending on the task). Nevertheless, this approach is convenient for analyzing a company's external web resources: one can immediately see all domains pointing to a single server.
Searching in Netlas is very flexible. The service features a modern web interface with an advanced UI and its own DSL (domain-specific language) for queries. Formally, queries resemble JSON conditions: for example, one can write protocol:"HTTP" or combine several conditions using AND/OR. However, for convenience, Netlas supports a syntax similar to Shodan/FOFA - in fact, most queries in the style of port:443 country:RU product:Apache are understood, even if they don't fully conform to the JSON format. There are filters for IP, port, domain, hostname, technology (by server name or banner fingerprint, e.g, tech:nginx), by country/ASN, by certificate parameters (e.g, cert.subject:"CN=example.com" or by SHA-1 hash of the certificate), by HTTP content (http.title, http.body) and much more. The fields and operators are documented on the website. An example of a complex query: "find all devices with open RDP, whose SSL certificate is issued by 'Microsoft' and the webpage contains the word 'Windows'" - in Netlas, this can be expressed by combining conditions for port 3389, the certificate issuer field and HTML search. Moreover, the Netlas language supports fuzzy searching - the ability to search for partial string matches, which is useful when you don't know the full name. The Netlas interface includes convenient autocompletions and ready-made query templates: there is a library of Featured Queries with examples for various cases (searching for open cameras, finding Jenkins panels, etc.). The search results are displayed in a table format, which can be sorted and filtered directly in the UI (for example, filtering found hosts by country or technology without a new query).
In addition to its focus on domains, Netlas offers built-in DNS Lookup and WHOIS lookup tools from the interface - essentially, it can replace standard utilities like dig/whois. When viewing a domain card, you can immediately see its DNS records (A, MX, TXT, etc.) and WHOIS information without additional queries. There is also a separate search for SSL certificates (similar to Censys): you can search for hosts by SHA-1 fingerprint of the certificate or by substring in the Subject/Issuer. In terms of data, Netlas emphasizes quality and relevance: for example, when providing results, the service tries not to show "excess" - it filters out many junk banners (like repeated CDN banners/errors), normalizes geolocation and merges duplicate DNS records. As a result, the search output is often cleaner than that of Shodan (where sometimes the same host can appear multiple times through different domains).
Netlas is an excellent choice for tasks related to external infrastructure reconnaissance for a company. For example, if a specialist needs to find out which subdomains of company X have open ports and what services are running on them, they can use Netlas to make a single query domain:"*.companyx.com" to retrieve all domains associated with the company and their services - this includes those pointing to the same IP (virtual hosts) and those distributed across different IPs. Then, they can sort by ports to identify rare services. Another case - Netlas is convenient for searching for specific content on web pages combined with domain filtering. For instance, a bug hunter can search in Netlas for all pages of Zyxel devices (banner:"ZyXEL") and immediately filter by the word "vulnerable" in the text - this way, they can identify which of them display a vulnerability warning on their page. Additionally, Netlas, thanks to its uniform updating, is suitable for vulnerability monitoring: one can save a query like product:"Apache httpd" AND cert.subject:"SomeCorp" (searching for all Apache web servers of a specific company) and track if they have a new port or if the certificate changes - Netlas will send a notification. In red teaming, Netlas is valued for its ability to quickly deploy private scanning of the required subnet before an attack - for example, a team can scan an internal range /24 with non-standard ports using the Netlas Private Scanner and immediately receive results in a familiar interface. This saves time on setting up their scanners. In short, Netlas aims to combine the advantages of Shodan (banner searching) and Censys (structure searching + ASM) with the addition of DNS measurement. It's still young but is already closely competing with "veterans" in terms of capabilities.
Criminal IP is the newest service in our review, launched in 2022 by the South Korean company AI Spera. Unlike previous search engines, Criminal IP (CIP) is positioned not only as an internet scanner but also as a Cyber Threat Intelligence platform. Its goal is to combine active scanning data with threat analytics (malware, phishing, malicious activity) and provide a convenient tool for assessing the "maliciousness" of any IP address or domain. In simpler terms, while Shodan/Censys tell you "what is open on this host", Criminal IP aims to add "how dangerous this host is".
Criminal IP, like others, automatically collects data on IP addresses and ports worldwide in real-time. However, its sources are diverse: it uses its own active port scanners, passive sensors (such as deployed honeypots), malware traffic analysis, blocklist databases and more. The developers claim that their system checks thousands of ports daily and collects banners from web services, databases, industrial systems, IoT devices, cryptocurrency nodes and more - including not only well-known ports but also registered (1024-49151) and dynamic (49152-65535) ports. In fact, CIP also attempts to scan the entire port range (like Censys). Additionally, they combine this with passive data: for example, if an IP is detected by a honeypot sensor as a scanner or as a source of attacks, this information is also included in the database. As a result, Criminal IP accumulates a vast amount of metadata: geolocation, WHOIS, domains, screenshots of web pages, IP blacklist status (DNSBL), information on malware activity (e.g, whether the IP connected to a botnet command server), etc. In total, the developers claim to index over 4.2 billion IP addresses (essentially the entire IPv4) with various levels of information.
Criminal IP implements four main types of searches: Asset Search, Domain Search, Image Search and Exploit Search.
The Criminal IP interface is modern and supports multiple languages (English, Korean, Japanese, French). The main page features a single search bar, allowing users to switch between search types. The results of Asset Search are presented in a table format: IP, list of open ports, Risk Score and tags. It is immediately visible whether the IP is marked as malicious, a proxy/VPN, part of a botnet, etc. Clicking on an IP opens a detailed report:
For example, a report from Criminal IP for a specific address (fragment) shows IP Scoring metrics - 99% Inbound (critical inbound risk) and 40% Outbound (low outbound risk), a summary of Detection (identified as a Hosting IP), and a list of Current Open Ports (22, 80, 443, 2048, 8080, 8443) with a note indicating "This has vulnerabilities" for some. On the right, attributes are displayed: Proxy IP (No), VPN IP (N/A), Tor IP (No), Hosting IP (True). This IP is clearly compromised. At the top of the report, IP Risk Scores are prominently displayed - two circular indicators: Inbound (how dangerous the IP is to you if traffic is coming from it) and Outbound (how dangerous it's if traffic is going to it). For example, 99% Inbound means that the IP is known to be malicious (it should not be allowed into the network), while 40% Outbound indicates a low risk from it (likely it doesn't attack on its own). Below is the Current Open Ports section listing open ports, indicating services and the presence of vulnerabilities (CIP immediately marks ports with vulnerable versions in red as "this has vulnerabilities"). On the right, a Summary/Detection section displays the country, ASN and flags: Proxy IP: Yes/No, VPN IP: Yes/No, Tor IP: Yes/No, Hosting IP: Yes/No, Mobile IP, CDN IP, Scanner IP, Special Issue, etc. This means CIP attempts to classify whether the IP is a VPN exit, a Tor node, a cloud server, a mobile address, a known scanner, etc. There are also sections for Abuse history (how many times the IP appeared in incidents, e.g, in botnet logs), Malicious history (summary of malicious activity: whether it was involved in phishing, mining, etc.), Connected domains (related domains, e.g, PTR records and domains from SSL), Webcam data (if it's an IP camera, CIP can show frames), Screenshot of the page and much more. Essentially, Criminal IP gathers all available information about an IP from open sources plus from its scanner on a single page. This aggregated approach allows for an immediate understanding of how dangerous an IP is and what threats are associated with it. While Shodan provides "raw" data, CIP also offers context: for example, it will show that this IP is listed in five botnets, was involved in an attack on a bank, is open on ten ports, two of which are vulnerable and hosts a phishing domain. Clearly, such an IP is a candidate for blocking in any security system.
Criminal IP provides a comprehensive REST API for all functions (searching, obtaining reports, initiating URL scans). Documentation is available on the website. It's nice that CIP has already considered the ecosystem: there are ready-made integrations with third-party SIEM/SOAR systems. For example, modules for Splunk, QRadar, integration with Cisco SecureX, a plugin for VirusTotal, transformations for Maltego and others. Cisco praises CIP in its blog: their integration allows enriching alerts with CIP data (risk scores, related domains, abuse history) directly in the SOC. There is also a browser plugin, CIP Inspector, which shows IP information directly on the web page - similar to the Shodan plugin but focused on threats. Access to the API is limited through a credit system. The initial free plan (Community) provides a certain number of credits (for example, 100 Asset Search requests and a couple of Domain scans per month - these numbers may change). This is enough to try out the service. There are also paid plans: Basic ($29/month), Professional ($99/month), etc, with an increase in the number of credits for searches and scans. For example, the Basic plan may offer 1000 Asset searches and 50 Domain scans monthly, while the Pro plan offers more. Exact figures are updated on the AI Spera website. For enterprises, there are custom solutions (for example, separate threat data feeds). Overall, the CIP model is closer to SaaS services than Shodan: you pay not just for results but for analytics and reports.
Criminal IP is a specialized tool for analyzing cyber threats and filtering out "noise". It's often referred to as a replacement for the simultaneous use of Shodan + GreyNoise + VirusTotal. Indeed, CIP addresses several tasks: first, it allows quickly determining whether an IP is associated with known scanners (like GreyNoise) or malicious botnets (like VirusTotal, AbuseIPDB). Second, it contains internet scanning functionality (like Shodan) for identifying open ports and services. The combination of these capabilities allows for the following applications:
The platforms discussed largely complement each other. Shodan is indispensable for quickly finding exposed devices and known vulnerabilities it's updated promptly and is easy to use. ZoomEye and FOFA are useful for broadening search horizons: they have a wider coverage of ports and content, often discovering what Shodan misses (especially in the Asian segment and based on content characteristics). Censys provides depth and structure - when detailed host configuration is needed and all ports must be covered, it's unmatched. Netlas brings a fresh approach with a focus on domains and relevance - it's a powerful tool for inventorying a company's external attack surface, monitoring changes and conducting OSINT investigations through DNS. Criminal IP goes beyond just device searching: it fills the niche of threat intelligence, allowing for immediate insight into the danger posed by an object and combining scanning with threat analytics. In practice, specialists often combine several tools for maximum coverage. For example, when working through an attack scenario, the team might: find candidates through Shodan, then clarify details (all ports, configurations) through Censys, check additional domains and records through Netlas, scan for exploits through ZoomEye/FOFA and finally assess the risk and activity history of the target through Criminal IP. This multifaceted approach provides the most comprehensive picture. Of course, resources and subscriptions for all tools may not always be available - thus, the choice of tool depends on the specific tasks at hand.
Netlas - A New Player Focused on Domains and Data Freshness
General Characteristics
Netlas is a relatively young (founded in 2022) search engine for network assets developed by a team from Eastern Europe. It stands out with several interesting approaches: it indexes not only IP addresses but also domain names, striving to ensure consistent data relevance across all services. Netlas is positioned as a tool for External Attack Surface Management (EASM) - in addition to searching, the service offers monitoring and private scanning functions on demand, focusing on companies needs to track their external infrastructure.
Scanning and Data
Netlas's public scanners regularly survey up to 146 ports on each IP (141 TCP and 5 UDP). This is fewer than Shodan or ZoomEye, but Netlas compensates with a focus on the most significant services. This list includes all standard web ports (80, 443, 8080, 8443), mail protocols (25, 587, 465, 110, 995), database ports (27017, 3306, 5432, etc.), VPN (1194, 500, 1701...), industrial protocols (102, 502) and other popular services. A complete list is published in the Netlas documentation. The Private Scanner - a separate feature for clients, can scan an extended list (~1300 ports) upon request, bringing coverage closer to ZoomEye. The main distinction of Netlas is that it scans all selected ports uniformly. If a host is included in the current scan, its information for all 146 ports is updated immediately, regardless of their popularity. This prevents the situation typical of Shodan/FOFA, where one IP has port 80 updated yesterday, while port 8080 was updated a month ago (and the banner may be outdated). Netlas believes that data "freshness" should be consistent across a host. Netlas indexes domain names alongside IPs. When discovering a web service, Netlas records all domains/subdomains found in its certificates or banners and maintains a separate DNS index. This makes Netlas very strong in searching for domain names and related records. Searches can be conducted by domain pattern (domain:"*.example.com"), by DNS content (e.g., dns.txt:"v=spf1 include:mailgun.org" to find all domains whose SPF records point to Mailgun), or by SSL certificate properties (cert.subject.CN="example.com"). This emphasis on DNS yields an interesting effect: Netlas finds significantly more unique web resources. In tests, the number of records for ports 80/443 in Netlas was several times higher than that of competitors - due to the consideration of virtual hosts and domain aliases. For example, Netlas counts ~344 million services on port 80, while FOFA has ~66 million and Shodan ~145 million. However, if only unique IPv4 addresses are counted, the difference is not as dramatic: Netlas discovers ~44 million active IPv4 with port 80, which is close to Censys (~51 million). This means Netlas includes many DNS names pointing to the same IP (which can be both useful and excessive - depending on the task). Nevertheless, this approach is convenient for analyzing a company's external web resources: one can immediately see all domains pointing to a single server.
Search Language and Interface
Searching in Netlas is very flexible. The service features a modern web interface with an advanced UI and its own DSL (domain-specific language) for queries. Formally, queries resemble JSON conditions: for example, one can write protocol:"HTTP" or combine several conditions using AND/OR. However, for convenience, Netlas supports a syntax similar to Shodan/FOFA - in fact, most queries in the style of port:443 country:RU product:Apache are understood, even if they don't fully conform to the JSON format. There are filters for IP, port, domain, hostname, technology (by server name or banner fingerprint, e.g, tech:nginx), by country/ASN, by certificate parameters (e.g, cert.subject:"CN=example.com" or by SHA-1 hash of the certificate), by HTTP content (http.title, http.body) and much more. The fields and operators are documented on the website. An example of a complex query: "find all devices with open RDP, whose SSL certificate is issued by 'Microsoft' and the webpage contains the word 'Windows'" - in Netlas, this can be expressed by combining conditions for port 3389, the certificate issuer field and HTML search. Moreover, the Netlas language supports fuzzy searching - the ability to search for partial string matches, which is useful when you don't know the full name. The Netlas interface includes convenient autocompletions and ready-made query templates: there is a library of Featured Queries with examples for various cases (searching for open cameras, finding Jenkins panels, etc.). The search results are displayed in a table format, which can be sorted and filtered directly in the UI (for example, filtering found hosts by country or technology without a new query).
Unique Features
In addition to its focus on domains, Netlas offers built-in DNS Lookup and WHOIS lookup tools from the interface - essentially, it can replace standard utilities like dig/whois. When viewing a domain card, you can immediately see its DNS records (A, MX, TXT, etc.) and WHOIS information without additional queries. There is also a separate search for SSL certificates (similar to Censys): you can search for hosts by SHA-1 fingerprint of the certificate or by substring in the Subject/Issuer. In terms of data, Netlas emphasizes quality and relevance: for example, when providing results, the service tries not to show "excess" - it filters out many junk banners (like repeated CDN banners/errors), normalizes geolocation and merges duplicate DNS records. As a result, the search output is often cleaner than that of Shodan (where sometimes the same host can appear multiple times through different domains).
Use Cases
Netlas is an excellent choice for tasks related to external infrastructure reconnaissance for a company. For example, if a specialist needs to find out which subdomains of company X have open ports and what services are running on them, they can use Netlas to make a single query domain:"*.companyx.com" to retrieve all domains associated with the company and their services - this includes those pointing to the same IP (virtual hosts) and those distributed across different IPs. Then, they can sort by ports to identify rare services. Another case - Netlas is convenient for searching for specific content on web pages combined with domain filtering. For instance, a bug hunter can search in Netlas for all pages of Zyxel devices (banner:"ZyXEL") and immediately filter by the word "vulnerable" in the text - this way, they can identify which of them display a vulnerability warning on their page. Additionally, Netlas, thanks to its uniform updating, is suitable for vulnerability monitoring: one can save a query like product:"Apache httpd" AND cert.subject:"SomeCorp" (searching for all Apache web servers of a specific company) and track if they have a new port or if the certificate changes - Netlas will send a notification. In red teaming, Netlas is valued for its ability to quickly deploy private scanning of the required subnet before an attack - for example, a team can scan an internal range /24 with non-standard ports using the Netlas Private Scanner and immediately receive results in a familiar interface. This saves time on setting up their scanners. In short, Netlas aims to combine the advantages of Shodan (banner searching) and Censys (structure searching + ASM) with the addition of DNS measurement. It's still young but is already closely competing with "veterans" in terms of capabilities.
Criminal IP – Threat Search with Artificial Intelligence
Criminal IP – Threat Search with Artificial Intelligence
General Characteristics
Criminal IP is the newest service in our review, launched in 2022 by the South Korean company AI Spera. Unlike previous search engines, Criminal IP (CIP) is positioned not only as an internet scanner but also as a Cyber Threat Intelligence platform. Its goal is to combine active scanning data with threat analytics (malware, phishing, malicious activity) and provide a convenient tool for assessing the "maliciousness" of any IP address or domain. In simpler terms, while Shodan/Censys tell you "what is open on this host", Criminal IP aims to add "how dangerous this host is".
Scanning and Data
Criminal IP, like others, automatically collects data on IP addresses and ports worldwide in real-time. However, its sources are diverse: it uses its own active port scanners, passive sensors (such as deployed honeypots), malware traffic analysis, blocklist databases and more. The developers claim that their system checks thousands of ports daily and collects banners from web services, databases, industrial systems, IoT devices, cryptocurrency nodes and more - including not only well-known ports but also registered (1024-49151) and dynamic (49152-65535) ports. In fact, CIP also attempts to scan the entire port range (like Censys). Additionally, they combine this with passive data: for example, if an IP is detected by a honeypot sensor as a scanner or as a source of attacks, this information is also included in the database. As a result, Criminal IP accumulates a vast amount of metadata: geolocation, WHOIS, domains, screenshots of web pages, IP blacklist status (DNSBL), information on malware activity (e.g, whether the IP connected to a botnet command server), etc. In total, the developers claim to index over 4.2 billion IP addresses (essentially the entire IPv4) with various levels of information.
Search and Interface
Criminal IP implements four main types of searches: Asset Search, Domain Search, Image Search and Exploit Search.
- Asset Search is a search by IP addresses and ports, similar to Shodan. It supports filters by country, port, service, keywords in the banner and the presence of vulnerabilities. For example: country:KR port:3389 has:vuln will find all open RDP in South Korea where CIP has detected a vulnerability (e.g., by protocol version). Or ip:203.0.113.0/24 status:404 will show all hosts in that subnet where the web server responds with HTTP 404 (yes, CIP can filter by HTTP statuses). Essentially, the Asset Search language is similar to Shodan/FOFA, with additional filters like status: and has:vuln.
- Domain Search is a unique feature of CIP: it allows you to enter a URL or domain and receive a detailed report about the site. This is somewhat similar to services like urlscan.io: CIP visits the page, takes a screenshot, analyzes the content for phishing or malicious code, collects all links and related domains and even provides security recommendations for the site. Essentially, Domain Search acts as an online web page scanner. It's very useful for quickly analyzing suspicious URLs: instead of manually opening a potentially dangerous site, you can run Domain Search and get information about it safely.
- Image Search is an extremely interesting feature: CIP indexes images (screenshots, camera feeds, etc.) and allows searching by image sample. You can upload a picture and CIP will find similar ones among the screenshots in its database. For example, by uploading a screenshot of an IoT camera interface, you can find all similar cameras - useful for identifying the brand of the device by the appearance of the interface. Or, as demonstrated by the developers, you can search for text on a screenshot: CIP performs OCR (optical character recognition) and indexes what is written on the image. For instance, you can find all RDP screenshots containing the word "encrypted" - this way, machines affected by ransomware (which displayed an encryption message on the desktop) were identified. This represents a completely new angle of search, absent in other reviewed services.
- Exploit Search is a section for searching known exploits and vulnerabilities. Essentially, this is an integrated search through exploit databases like exploit-db, Metasploit, etc, linked to Asset Search. You can enter the name of a vulnerability or CVE and CIP will show the description and a list of IPs/domains associated with that vulnerability. It resembles aseparate directory but is integrated: upon discovering a host with a vulnerable service in Asset Search, you can click on the CVE and see the exploit for it, or conversely, navigate from the Exploit section to search for vulnerable hosts.
Interface
The Criminal IP interface is modern and supports multiple languages (English, Korean, Japanese, French). The main page features a single search bar, allowing users to switch between search types. The results of Asset Search are presented in a table format: IP, list of open ports, Risk Score and tags. It is immediately visible whether the IP is marked as malicious, a proxy/VPN, part of a botnet, etc. Clicking on an IP opens a detailed report:
For example, a report from Criminal IP for a specific address (fragment) shows IP Scoring metrics - 99% Inbound (critical inbound risk) and 40% Outbound (low outbound risk), a summary of Detection (identified as a Hosting IP), and a list of Current Open Ports (22, 80, 443, 2048, 8080, 8443) with a note indicating "This has vulnerabilities" for some. On the right, attributes are displayed: Proxy IP (No), VPN IP (N/A), Tor IP (No), Hosting IP (True). This IP is clearly compromised. At the top of the report, IP Risk Scores are prominently displayed - two circular indicators: Inbound (how dangerous the IP is to you if traffic is coming from it) and Outbound (how dangerous it's if traffic is going to it). For example, 99% Inbound means that the IP is known to be malicious (it should not be allowed into the network), while 40% Outbound indicates a low risk from it (likely it doesn't attack on its own). Below is the Current Open Ports section listing open ports, indicating services and the presence of vulnerabilities (CIP immediately marks ports with vulnerable versions in red as "this has vulnerabilities"). On the right, a Summary/Detection section displays the country, ASN and flags: Proxy IP: Yes/No, VPN IP: Yes/No, Tor IP: Yes/No, Hosting IP: Yes/No, Mobile IP, CDN IP, Scanner IP, Special Issue, etc. This means CIP attempts to classify whether the IP is a VPN exit, a Tor node, a cloud server, a mobile address, a known scanner, etc. There are also sections for Abuse history (how many times the IP appeared in incidents, e.g, in botnet logs), Malicious history (summary of malicious activity: whether it was involved in phishing, mining, etc.), Connected domains (related domains, e.g, PTR records and domains from SSL), Webcam data (if it's an IP camera, CIP can show frames), Screenshot of the page and much more. Essentially, Criminal IP gathers all available information about an IP from open sources plus from its scanner on a single page. This aggregated approach allows for an immediate understanding of how dangerous an IP is and what threats are associated with it. While Shodan provides "raw" data, CIP also offers context: for example, it will show that this IP is listed in five botnets, was involved in an attack on a bank, is open on ten ports, two of which are vulnerable and hosts a phishing domain. Clearly, such an IP is a candidate for blocking in any security system.
API and Integrations
Criminal IP provides a comprehensive REST API for all functions (searching, obtaining reports, initiating URL scans). Documentation is available on the website. It's nice that CIP has already considered the ecosystem: there are ready-made integrations with third-party SIEM/SOAR systems. For example, modules for Splunk, QRadar, integration with Cisco SecureX, a plugin for VirusTotal, transformations for Maltego and others. Cisco praises CIP in its blog: their integration allows enriching alerts with CIP data (risk scores, related domains, abuse history) directly in the SOC. There is also a browser plugin, CIP Inspector, which shows IP information directly on the web page - similar to the Shodan plugin but focused on threats. Access to the API is limited through a credit system. The initial free plan (Community) provides a certain number of credits (for example, 100 Asset Search requests and a couple of Domain scans per month - these numbers may change). This is enough to try out the service. There are also paid plans: Basic ($29/month), Professional ($99/month), etc, with an increase in the number of credits for searches and scans. For example, the Basic plan may offer 1000 Asset searches and 50 Domain scans monthly, while the Pro plan offers more. Exact figures are updated on the AI Spera website. For enterprises, there are custom solutions (for example, separate threat data feeds). Overall, the CIP model is closer to SaaS services than Shodan: you pay not just for results but for analytics and reports.
Use Cases
Criminal IP is a specialized tool for analyzing cyber threats and filtering out "noise". It's often referred to as a replacement for the simultaneous use of Shodan + GreyNoise + VirusTotal. Indeed, CIP addresses several tasks: first, it allows quickly determining whether an IP is associated with known scanners (like GreyNoise) or malicious botnets (like VirusTotal, AbuseIPDB). Second, it contains internet scanning functionality (like Shodan) for identifying open ports and services. The combination of these capabilities allows for the following applications:
False Positive Filtering in SOC
Threat Hunting
Phishing and Malware Analysis
Conclusion
The platforms discussed largely complement each other. Shodan is indispensable for quickly finding exposed devices and known vulnerabilities it's updated promptly and is easy to use. ZoomEye and FOFA are useful for broadening search horizons: they have a wider coverage of ports and content, often discovering what Shodan misses (especially in the Asian segment and based on content characteristics). Censys provides depth and structure - when detailed host configuration is needed and all ports must be covered, it's unmatched. Netlas brings a fresh approach with a focus on domains and relevance - it's a powerful tool for inventorying a company's external attack surface, monitoring changes and conducting OSINT investigations through DNS. Criminal IP goes beyond just device searching: it fills the niche of threat intelligence, allowing for immediate insight into the danger posed by an object and combining scanning with threat analytics. In practice, specialists often combine several tools for maximum coverage. For example, when working through an attack scenario, the team might: find candidates through Shodan, then clarify details (all ports, configurations) through Censys, check additional domains and records through Netlas, scan for exploits through ZoomEye/FOFA and finally assess the risk and activity history of the target through Criminal IP. This multifaceted approach provides the most comprehensive picture. Of course, resources and subscriptions for all tools may not always be available - thus, the choice of tool depends on the specific tasks at hand.
Key Areas of Application
- For quick vulnerability and open service searches (classic pentesting): Shodan or ZoomEye (if a subscription is available) provide the most immediate results.
- For deep inventorying of the external surface (e.g, in bug bounty for a large enterprise): A combination of Censys (for all ports, TLS data) and FOFA (for content search, subdomains) will yield the most insights.
- For continuous monitoring of resources (ASM): Netlas and Shodan (with the Monitor function) are the best options, and it makes sense to include Censys ASM for comprehensive change control.
- For threat response and threat hunting: Definitely Criminal IP (risk context) alongside GreyNoise (if a snapshot of scanners is needed) and again Shodan (which has sections for Exploits and MalwareHunter for finding C2).
