![Shodan logo]()
Shodan
Shodan is the world's first search engine for Internet-connected devices. It continuously crawls the public Internet to build a searchable database of servers, IoT devices, industrial control systems, routers, webcams, databases, and any other host that exposes a service. Shodan provides REST, Streaming, and Trends APIs along with on-demand scanning, network alerts, notifiers, DNS lookups, the InternetDB API, and the CVEDB vulnerability database. It is widely used for attack-surface management, security research, threat intelligence, vulnerability discovery, market research, and academic study of the Internet itself.
5 APIs
13 Features
SecuritySearchInternetDevicesIoTVulnerabilitiesCVEAttack SurfaceThreat IntelligenceReconnaissanceNetworkDNSScanningPublic APIs
The primary Shodan REST API exposes search methods, host lookups, on-demand scanning, network alerts, notifiers, the saved-query directory, DNS lookups, utility methods, account...
The Shodan Streaming API provides a real-time firehose of banner data as Shodan collects it. Filtered streams are available by ASN, country, port, and CVE. Output is either newl...
Trends is the historical analytics API for Shodan, exposing breakdowns of historical scan results aggregated by facet (product, port, country, organization, etc.) by month. Acce...
The InternetDB API is a free, unauthenticated lookup service that returns the open ports, CPEs, hostnames, tags, and known CVEs for any IPv4 address. The dataset is refreshed on...
CVEDB is Shodan's open vulnerability database API. It provides CVE lookups, CPE-keyed vulnerability search, KEV filtering, EPSS ordering, and date-range queries. No API key requ...
Internet-Wide Device Search
Search billions of indexed banners from servers, routers, webcams, industrial control systems, and IoT devices using a powerful query language with facets and filters.
Host Information Lookup
Retrieve all known information for an IP including open ports, service banners, geolocation, ASN/ISP, hostnames, vulnerabilities, SSL/TLS certificates, and detected technologies.
On-Demand Scanning
Submit IPs, CIDR ranges, or netblocks for an on-demand crawl using scan credits. Enterprise plans can request Internet-wide scans for a specific port or protocol.
Network Alerts and Notifiers
Create alerts on monitored IP ranges that fire when new services, changes, vulnerabilities, or expirations are detected, with delivery via Slack, email, webhook, and other notifier providers.
DNS Lookup Suite
Forward, reverse, and full-domain DNS lookups including subdomain enumeration backed by Shodan's passive DNS database.
Streaming Firehose
Subscribe to real-time banner data filtered by ASN, country, port, or CVE for SIEMs, data lakes, and bespoke analytics pipelines.
Trends Analytics
Run faceted queries against the full historical scan database to analyze product adoption, regional exposure, and changes over time.
InternetDB Free Lookup
Open, key-free lookup that returns the open ports, CPEs, tags, and CVEs for any IPv4 address; refreshed weekly.
CVEDB Vulnerability Database
Open vulnerability lookup with CPE search, KEV filter, EPSS sorting, and date-range queries.
Bulk Data Exports
Enterprise-tier daily and on-demand bulk exports of Shodan's underlying datasets for offline analysis and warehousing.
Organization Management
Enterprise organization support for sharing credits and managing members through the API.
Saved Query Directory
Browse, search, and tag community-contributed Shodan queries covering common technologies, exposures, and devices.
Notifier Providers
Built-in notification provider integrations for Slack, email, Discord, Telegram, webhook, and more.
aid: shodan
name: Shodan
description: >-
Shodan is the world's first search engine for Internet-connected devices. It continuously crawls the public Internet
to build a searchable database of servers, IoT devices, industrial control systems, routers, webcams, databases, and
any other host that exposes a service. Shodan provides REST, Streaming, and Trends APIs along with on-demand scanning,
network alerts, notifiers, DNS lookups, the InternetDB API, and the CVEDB vulnerability database. It is widely used
for attack-surface management, security research, threat intelligence, vulnerability discovery, market research, and
academic study of the Internet itself.
url: https://developer.shodan.io/
specificationVersion: '0.20'
created: '2026-05-28'
modified: '2026-05-30'
x-source: public-apis/public-apis
x-category: Security
x-tier: 1
x-tier-reason: full-pipeline-profiled
tags:
- Security
- Search
- Internet
- Devices
- IoT
- Vulnerabilities
- CVE
- Attack Surface
- Threat Intelligence
- Reconnaissance
- Network
- DNS
- Scanning
- Public APIs
apis:
- name: Shodan REST API
description: >-
The primary Shodan REST API exposes search methods, host lookups, on-demand scanning, network alerts, notifiers,
the saved-query directory, DNS lookups, utility methods, account information, bulk data, and organization
management. Auth is via the `key` query parameter.
humanURL: https://developer.shodan.io/api
baseURL: https://api.shodan.io
tags:
- REST
- Search
- Host
- Scanning
- Alerts
- Notifiers
- DNS
properties:
- type: Documentation
url: https://developer.shodan.io/api
- type: APIReference
url: https://developer.shodan.io/api
- type: Authentication
url: https://developer.shodan.io/api/requirements
- type: OpenAPI
url: openapi/shodan-rest-openapi.yml
- type: JSONSchema
url: json-schema/shodan-rest-host-schema.json
- type: JSONSchema
url: json-schema/shodan-rest-search-result-schema.json
- type: JSONSchema
url: json-schema/shodan-rest-alert-schema.json
- type: JSONSchema
url: json-schema/shodan-rest-notifier-schema.json
- type: JSONSchema
url: json-schema/shodan-rest-scan-schema.json
- type: JSONStructure
url: json-structure/shodan-rest-host-structure.json
- type: JSONStructure
url: json-structure/shodan-rest-alert-structure.json
- type: JSON-LD
url: json-ld/shodan-context.jsonld
- type: Example
url: examples/shodan-rest-host-lookup-example.json
- type: Example
url: examples/shodan-rest-search-example.json
- type: Example
url: examples/shodan-rest-scan-create-example.json
- type: Example
url: examples/shodan-rest-alert-create-example.json
- name: Shodan Streaming API
description: >-
The Shodan Streaming API provides a real-time firehose of banner data as Shodan collects it. Filtered streams are
available by ASN, country, port, and CVE. Output is either newline-separated JSON or Server-Sent Events.
humanURL: https://developer.shodan.io/api/stream
baseURL: https://stream.shodan.io
tags:
- Streaming
- Real-Time
- Firehose
- SSE
properties:
- type: Documentation
url: https://developer.shodan.io/api/stream
- type: APIReference
url: https://developer.shodan.io/api/stream
- type: AsyncAPI
url: asyncapi/shodan-stream-asyncapi.yml
- type: OpenAPI
url: openapi/shodan-stream-openapi.yml
- type: JSONSchema
url: json-schema/shodan-stream-banner-schema.json
- type: JSONStructure
url: json-structure/shodan-stream-banner-structure.json
- type: Example
url: examples/shodan-stream-banner-example.json
- name: Shodan Trends API
description: >-
Trends is the historical analytics API for Shodan, exposing breakdowns of historical scan results aggregated by
facet (product, port, country, organization, etc.) by month. Access is Enterprise-only.
humanURL: https://developer.shodan.io/api/trends
baseURL: https://trends.shodan.io
tags:
- Trends
- Analytics
- Historical
- Enterprise
properties:
- type: Documentation
url: https://developer.shodan.io/api/trends
- type: APIReference
url: https://developer.shodan.io/api/trends
- type: OpenAPI
url: openapi/shodan-trends-openapi.yml
- type: JSONSchema
url: json-schema/shodan-trends-result-schema.json
- type: Example
url: examples/shodan-trends-search-example.json
- name: InternetDB API
description: >-
The InternetDB API is a free, unauthenticated lookup service that returns the open ports, CPEs, hostnames, tags,
and known CVEs for any IPv4 address. The dataset is refreshed once per week. Free for non-commercial use;
commercial use requires an enterprise license.
humanURL: https://internetdb.shodan.io/
baseURL: https://internetdb.shodan.io
tags:
- InternetDB
- Free
- IP Lookup
- Public
properties:
- type: Documentation
url: https://internetdb.shodan.io/
- type: OpenAPI
url: openapi/shodan-internetdb-openapi.yml
- type: JSONSchema
url: json-schema/shodan-internetdb-host-schema.json
- type: Example
url: examples/shodan-internetdb-host-example.json
- name: CVEDB API
description: >-
CVEDB is Shodan's open vulnerability database API. It provides CVE lookups, CPE-keyed vulnerability search, KEV
filtering, EPSS ordering, and date-range queries. No API key required; updated daily. Free for non-commercial use.
humanURL: https://cvedb.shodan.io/
baseURL: https://cvedb.shodan.io
tags:
- CVE
- Vulnerabilities
- CPE
- KEV
- EPSS
- Free
properties:
- type: Documentation
url: https://cvedb.shodan.io/
- type: OpenAPI
url: openapi/shodan-cvedb-openapi.yml
- type: JSONSchema
url: json-schema/shodan-cvedb-cve-schema.json
- type: JSONSchema
url: json-schema/shodan-cvedb-cpe-schema.json
- type: Example
url: examples/shodan-cvedb-cve-lookup-example.json
common:
- type: PostmanWorkspace
url: https://www.postman.com/kinlaneapi/shodan/overview
- type: ArazzoWorkflows
url: arazzo/
workflows:
- url: arazzo/shodan-account-overview-workflow.yml
name: Shodan Account Overview
summary: Pull the account profile, API plan limits, and the client's own IP.
- url: arazzo/shodan-alert-with-notifier-workflow.yml
name: Shodan Alert With Notifier
summary: Create a notifier, attach it via an alert, and arm a trigger for delivery.
- url: arazzo/shodan-cve-enrichment-workflow.yml
name: Shodan CVEDB Product Vulnerability Enrichment
summary: Resolve a product to a CPE, search its CVEs, then pull full CVE details.
- url: arazzo/shodan-domain-recon-workflow.yml
name: Shodan Domain Reconnaissance
summary: Enumerate a domain's DNS records, resolve a subdomain, and inspect the host.
- url: arazzo/shodan-internetdb-vuln-triage-workflow.yml
name: Shodan InternetDB Vulnerability Triage
summary: Pull an IP's free InternetDB record, then detail one of its known CVEs.
- url: arazzo/shodan-network-alert-lifecycle-workflow.yml
name: Shodan Network Alert Lifecycle
summary: Create a network alert, enable a trigger, verify it, then update the IP set.
- url: arazzo/shodan-notifier-lifecycle-workflow.yml
name: Shodan Notifier Lifecycle
summary: Create a notifier, read it back, update it, then delete it.
- url: arazzo/shodan-query-directory-workflow.yml
name: Shodan Query Directory Explorer
summary: Browse popular query tags, search the saved-query directory, then run a match.
- url: arazzo/shodan-resolve-and-host-info-workflow.yml
name: Shodan Resolve Hostname and Inspect Host
summary: Resolve a hostname to an IP and pull the full Shodan host record for that IP.
- url: arazzo/shodan-reverse-dns-to-host-info-workflow.yml
name: Shodan Reverse DNS to Host Info
summary: Reverse-resolve an IP to its hostnames, then pull the full host record.
- url: arazzo/shodan-scan-then-inspect-host-workflow.yml
name: Shodan Scan Then Inspect Host
summary: Submit a single-IP scan, poll until done, then pull the fresh host record.
- url: arazzo/shodan-search-builder-workflow.yml
name: Shodan Search Builder
summary: Discover available filters and facets, validate a query, then count its results.
- url: arazzo/shodan-search-to-host-detail-workflow.yml
name: Shodan Search to Host Detail
summary: Estimate a search, run it, then drill into the first matching host.
- url: arazzo/shodan-submit-scan-and-poll-workflow.yml
name: Shodan Submit On-Demand Scan and Poll
summary: Submit an on-demand scan and poll its status until the crawl completes.
- url: arazzo/shodan-trends-vs-live-workflow.yml
name: Shodan Historical Trends vs Live Exposure
summary: Pull historical monthly trends for a query, then compare to the live count.
- type: Website
url: https://www.shodan.io/
- type: DeveloperPortal
url: https://developer.shodan.io/
- type: Documentation
url: https://developer.shodan.io/
- type: APIReference
url: https://developer.shodan.io/api
- type: Pricing
url: https://account.shodan.io/billing
- type: Plans
url: plans/shodan-plans-pricing.yml
- type: RateLimits
url: rate-limits/shodan-rate-limits.yml
- type: SignUp
url: https://account.shodan.io/register
- type: Login
url: https://account.shodan.io/login
- type: Console
url: https://www.shodan.io/dashboard
- type: Authentication
url: https://developer.shodan.io/api/requirements
- type: GettingStarted
url: https://help.shodan.io/the-basics/what-is-shodan
- type: Quickstart
url: https://help.shodan.io/the-basics/search-query-fundamentals
- type: Tutorials
url: https://help.shodan.io/
- type: KnowledgeCenter
url: https://help.shodan.io/
- type: Glossary
url: https://datapedia.shodan.io/
- type: Support
url: mailto:support@shodan.io
- type: Blog
url: https://blog.shodan.io/
- type: StatusPage
url: https://status.shodan.io/
- type: TermsOfService
url: https://www.shodan.io/legal/tos
- type: PrivacyPolicy
url: https://www.shodan.io/legal/privacy
- type: Legal
url: https://www.shodan.io/legal
- type: X
url: https://x.com/shodanhq
- type: LinkedIn
url: https://www.linkedin.com/company/shodan
- type: YouTube
url: https://www.youtube.com/@shodanhq
- type: GitHubOrganization
url: https://github.com/achillean
- type: GitHubRepository
url: https://github.com/achillean/shodan-python
- type: GitHubRepository
url: https://github.com/achillean/shodan-developer-docs
- type: GitHubRepository
url: https://github.com/achillean/shodan-ruby
- type: GitHubRepository
url: https://github.com/achillean/shodan-perl
- type: GitHubRepository
url: https://github.com/achillean/Shodan.NET
- type: GitHubRepository
url: https://github.com/achillean/steampipe-plugin-shodan
- type: CLI
url: https://help.shodan.io/command-line-interface/0-installation
- type: SDK
name: Python
url: https://github.com/achillean/shodan-python
- type: SDK
name: Ruby
url: https://github.com/picatz/shodanz
- type: SDK
name: PHP
url: https://github.com/ScadaExposure/Shodan-PHP-REST-API
- type: SDK
name: C++
url: https://github.com/prophetl33t/ShodanCPP
- type: SDK
name: C#
url: https://www.nuget.org/packages/Shodan/
- type: SDK
name: C# (alt)
url: https://github.com/tparnell8/Shodan.Net
- type: SDK
name: Go
url: https://github.com/shadowscatcher/shodan
- type: SDK
name: Go (ns3777k)
url: https://github.com/ns3777k/go-shodan
- type: SDK
name: Haskell
url: https://github.com/iomonad/shodan
- type: SDK
name: Java
url: https://github.com/fooock/jshodan
- type: SDK
name: Node.js
url: https://github.com/jesusprubio/shodan-client.js
- type: SDK
name: Perl
url: https://github.com/Dudley5000/WWW-Shodan-API
- type: SDK
name: PowerShell
url: https://github.com/darkoperator/Posh-Shodan
- type: SDK
name: Rust
url: https://github.com/femiagbabiaka/shodan-rust
- type: SDK
name: Crystal
url: https://github.com/PercussiveElbow/Shodan
- type: Tools
name: Steampipe Plugin
url: https://github.com/achillean/steampipe-plugin-shodan
- type: Tools
name: Shodan Monitor
url: https://monitor.shodan.io
- type: Tools
name: Shodan Maps
url: https://maps.shodan.io
- type: Tools
name: Shodan Images
url: https://images.shodan.io
- type: Tools
name: Shodan Bulk Data
url: https://enterprise.shodan.io
- type: Tools
name: Shodan Snippets
url: https://snippets.shodan.io
- type: Tools
name: MCP Server (BurtTheCoder)
url: https://github.com/BurtTheCoder/mcp-shodan
- type: Tools
name: MCP Server (ADEOSec)
url: https://github.com/ADEOSec/mcp-shodan
- type: Tools
name: MCP Server (Cyreslab-AI)
url: https://github.com/Cyreslab-AI/shodan-mcp-server
- type: Tools
name: MCP Server (Vorota-ai)
url: https://github.com/Vorota-ai/shodan-mcp
- type: Tools
name: MCP Server (mohdhaji87)
url: https://github.com/mohdhaji87/Shodan-MCP
- type: SpectralRules
url: rules/shodan-rules.yml
- type: Vocabulary
url: vocabulary/shodan-vocabulary.yml
- type: FinOps
url: finops/shodan-finops.yml
- type: Features
data:
- name: Internet-Wide Device Search
description: >-
Search billions of indexed banners from servers, routers, webcams, industrial control systems, and IoT devices
using a powerful query language with facets and filters.
- name: Host Information Lookup
description: >-
Retrieve all known information for an IP including open ports, service banners, geolocation, ASN/ISP,
hostnames, vulnerabilities, SSL/TLS certificates, and detected technologies.
- name: On-Demand Scanning
description: >-
Submit IPs, CIDR ranges, or netblocks for an on-demand crawl using scan credits. Enterprise plans can request
Internet-wide scans for a specific port or protocol.
- name: Network Alerts and Notifiers
description: >-
Create alerts on monitored IP ranges that fire when new services, changes, vulnerabilities, or expirations are
detected, with delivery via Slack, email, webhook, and other notifier providers.
- name: DNS Lookup Suite
description: >-
Forward, reverse, and full-domain DNS lookups including subdomain enumeration backed by Shodan's passive DNS
database.
- name: Streaming Firehose
description: >-
Subscribe to real-time banner data filtered by ASN, country, port, or CVE for SIEMs, data lakes, and bespoke
analytics pipelines.
- name: Trends Analytics
description: >-
Run faceted queries against the full historical scan database to analyze product adoption, regional exposure,
and changes over time.
- name: InternetDB Free Lookup
description: >-
Open, key-free lookup that returns the open ports, CPEs, tags, and CVEs for any IPv4 address; refreshed
weekly.
- name: CVEDB Vulnerability Database
description: Open vulnerability lookup with CPE search, KEV filter, EPSS sorting, and date-range queries.
- name: Bulk Data Exports
description: >-
Enterprise-tier daily and on-demand bulk exports of Shodan's underlying datasets for offline analysis and
warehousing.
- name: Organization Management
description: Enterprise organization support for sharing credits and managing members through the API.
- name: Saved Query Directory
description: >-
Browse, search, and tag community-contributed Shodan queries covering common technologies, exposures, and
devices.
- name: Notifier Providers
description: Built-in notification provider integrations for Slack, email, Discord, Telegram, webhook, and more.
- type: UseCases
data:
- name: Attack Surface Management
description: >-
Continuously monitor an organization's external attack surface for new services, configuration drift, and
vulnerable software.
- name: Vulnerability Intelligence
description: >-
Quantify exposure to specific CVEs across the Internet or a defined customer footprint using CVEDB and the
search/trends APIs.
- name: Threat Hunting and OSINT
description: Pivot from IPs, certificates, banners, and ASNs to map adversary infrastructure and discover related hosts.
- name: Security Research
description: >-
Study the distribution of misconfigured services, exposed databases, and emerging IoT ecosystems across the
public Internet.
- name: Competitive and Market Research
description: >-
Track adoption of products, web servers, cloud providers, and frameworks across regions and industries using
Trends.
- name: Regulatory and Compliance Reporting
description: Demonstrate visibility into externally exposed assets for frameworks that require attack-surface inventories.
- name: Insurance Underwriting
description: >-
Inform cyber-insurance scoring with externally observable evidence of exposed services, vulnerabilities, and
hygiene.
- name: Incident Response
description: Triage IPs observed in alerts against Shodan history to determine who they are and what services they expose.
- type: Integrations
data:
- name: Splunk
description: >-
Shodan data is widely ingested into Splunk for security analytics via the streaming API and the Splunk add-on
ecosystem.
- name: Maltego
description: Shodan transforms for Maltego enable graph-based pivoting on banners, certificates, and IPs.
- name: Slack
description: Notifier integration delivers alert events to Slack channels.
- name: Email
description: Notifier integration delivers alert events to mailboxes.
- name: Webhook
description: Notifier integration posts alert events to arbitrary HTTPS endpoints.
- name: Discord
description: Notifier integration delivers alert events to Discord servers.
- name: Telegram
description: Notifier integration delivers alert events to Telegram chats.
- name: Steampipe
description: Official Steampipe plugin lets you query Shodan host, DNS, and exploit data using standard SQL.
- name: Model Context Protocol
description: Multiple community MCP servers expose Shodan tools to AI assistants including Claude, Cursor, and VS Code.
- name: Nmap
description: Shodan's CLI ships helpers to enrich Nmap scan output with Shodan-derived banner context.
- type: Solutions
data:
- name: Shodan Monitor
description: Hosted attack-surface monitoring product built on the network alerts and notifiers APIs.
- name: Enterprise Data Feed
description: >-
Real-time firehose and daily bulk data exports for SOCs, threat intelligence platforms, and academic
researchers.
- name: InternetDB
description: Free, unauthenticated host lookup designed for embedding into security tools and dashboards.
- name: CVEDB
description: Free vulnerability database with KEV and EPSS metadata for prioritization workflows.
- name: Internet-Wide Scanning
description: Enterprise-only capability to request a scan of the entire Internet for a specific port or protocol.
maintainers:
- FN: Kin Lane
email: kin@apievangelist.com