Shodan
Shodan is the world's first search engine for Internet-connected devices. It continuously crawls the public Internet to build a searchable database of servers, IoT devices, industrial control systems, routers, webcams, databases, and any other host that exposes a service. Shodan provides REST, Streaming, and Trends APIs along with on-demand scanning, network alerts, notifiers, DNS lookups, the InternetDB API, and the CVEDB vulnerability database. It is widely used for attack-surface management, security research, threat intelligence, vulnerability discovery, market research, and academic study of the Internet itself.
APIs
Shodan REST API
The primary Shodan REST API exposes search methods, host lookups, on-demand scanning, network alerts, notifiers, the saved-query directory, DNS lookups, utility methods, account...
Shodan Streaming API
The Shodan Streaming API provides a real-time firehose of banner data as Shodan collects it. Filtered streams are available by ASN, country, port, and CVE. Output is either newl...
Shodan Trends API
Trends is the historical analytics API for Shodan, exposing breakdowns of historical scan results aggregated by facet (product, port, country, organization, etc.) by month. Acce...
InternetDB API
The InternetDB API is a free, unauthenticated lookup service that returns the open ports, CPEs, hostnames, tags, and known CVEs for any IPv4 address. The dataset is refreshed on...
CVEDB API
CVEDB is Shodan's open vulnerability database API. It provides CVE lookups, CPE-keyed vulnerability search, KEV filtering, EPSS ordering, and date-range queries. No API key requ...
Collections
Shodan CVEDB API
POSTMANShodan InternetDB API
POSTMANShodan REST API
POSTMANShodan Streaming API
POSTMANShodan Trends API
POSTMANShodan CVEDB API
OPENShodan REST API
OPENShodan Streaming API
OPENShodan Trends API
OPENArazzo Workflows
Shodan Alert With Notifier
Create a notifier, attach it via an alert, and arm a trigger for delivery.
ARAZZOShodan CVEDB Product Vulnerability Enrichment
Resolve a product to a CPE, search its CVEs, then pull full CVE details.
ARAZZOShodan Domain Reconnaissance
Enumerate a domain's DNS records, resolve a subdomain, and inspect the host.
ARAZZOShodan InternetDB Vulnerability Triage
Pull an IP's free InternetDB record, then detail one of its known CVEs.
ARAZZOShodan Network Alert Lifecycle
Create a network alert, enable a trigger, verify it, then update the IP set.
ARAZZOShodan Query Directory Explorer
Browse popular query tags, search the saved-query directory, then run a match.
ARAZZOShodan Resolve Hostname and Inspect Host
Resolve a hostname to an IP and pull the full Shodan host record for that IP.
ARAZZOShodan Reverse DNS to Host Info
Reverse-resolve an IP to its hostnames, then pull the full host record.
ARAZZOShodan Scan Then Inspect Host
Submit a single-IP scan, poll until done, then pull the fresh host record.
ARAZZOShodan Search Builder
Discover available filters and facets, validate a query, then count its results.
ARAZZOShodan Search to Host Detail
Estimate a search, run it, then drill into the first matching host.
ARAZZOShodan Submit On-Demand Scan and Poll
Submit an on-demand scan and poll its status until the crawl completes.
ARAZZOShodan Historical Trends vs Live Exposure
Pull historical monthly trends for a query, then compare to the live count.
ARAZZOPricing Plans
Rate Limits
FinOps
Shodan Finops
FINOPSFeatures
Search billions of indexed banners from servers, routers, webcams, industrial control systems, and IoT devices using a powerful query language with facets and filters.
Retrieve all known information for an IP including open ports, service banners, geolocation, ASN/ISP, hostnames, vulnerabilities, SSL/TLS certificates, and detected technologies.
Submit IPs, CIDR ranges, or netblocks for an on-demand crawl using scan credits. Enterprise plans can request Internet-wide scans for a specific port or protocol.
Create alerts on monitored IP ranges that fire when new services, changes, vulnerabilities, or expirations are detected, with delivery via Slack, email, webhook, and other notifier providers.
Forward, reverse, and full-domain DNS lookups including subdomain enumeration backed by Shodan's passive DNS database.
Subscribe to real-time banner data filtered by ASN, country, port, or CVE for SIEMs, data lakes, and bespoke analytics pipelines.
Run faceted queries against the full historical scan database to analyze product adoption, regional exposure, and changes over time.
Open, key-free lookup that returns the open ports, CPEs, tags, and CVEs for any IPv4 address; refreshed weekly.
Open vulnerability lookup with CPE search, KEV filter, EPSS sorting, and date-range queries.
Enterprise-tier daily and on-demand bulk exports of Shodan's underlying datasets for offline analysis and warehousing.
Enterprise organization support for sharing credits and managing members through the API.
Browse, search, and tag community-contributed Shodan queries covering common technologies, exposures, and devices.
Built-in notification provider integrations for Slack, email, Discord, Telegram, webhook, and more.
Use Cases
Continuously monitor an organization's external attack surface for new services, configuration drift, and vulnerable software.
Quantify exposure to specific CVEs across the Internet or a defined customer footprint using CVEDB and the search/trends APIs.
Pivot from IPs, certificates, banners, and ASNs to map adversary infrastructure and discover related hosts.
Study the distribution of misconfigured services, exposed databases, and emerging IoT ecosystems across the public Internet.
Track adoption of products, web servers, cloud providers, and frameworks across regions and industries using Trends.
Demonstrate visibility into externally exposed assets for frameworks that require attack-surface inventories.
Inform cyber-insurance scoring with externally observable evidence of exposed services, vulnerabilities, and hygiene.
Triage IPs observed in alerts against Shodan history to determine who they are and what services they expose.
Integrations
Shodan data is widely ingested into Splunk for security analytics via the streaming API and the Splunk add-on ecosystem.
Shodan transforms for Maltego enable graph-based pivoting on banners, certificates, and IPs.
Notifier integration delivers alert events to Slack channels.
Notifier integration delivers alert events to mailboxes.
Notifier integration posts alert events to arbitrary HTTPS endpoints.
Notifier integration delivers alert events to Discord servers.
Notifier integration delivers alert events to Telegram chats.
Official Steampipe plugin lets you query Shodan host, DNS, and exploit data using standard SQL.
Multiple community MCP servers expose Shodan tools to AI assistants including Claude, Cursor, and VS Code.
Shodan's CLI ships helpers to enrich Nmap scan output with Shodan-derived banner context.
Solutions
Hosted attack-surface monitoring product built on the network alerts and notifiers APIs.
Real-time firehose and daily bulk data exports for SOCs, threat intelligence platforms, and academic researchers.
Free, unauthenticated host lookup designed for embedding into security tools and dashboards.
Free vulnerability database with KEV and EPSS metadata for prioritization workflows.
Enterprise-only capability to request a scan of the entire Internet for a specific port or protocol.
Event Specifications
Shodan Streaming API
Real-time streaming firehose of banner data collected by Shodan, delivered as newline-separated JSON or Server-Sent Events. Subscribers can consume the full firehose or filter b...
ASYNCAPI