Shodan website screenshot

Shodan

Shodan is the world's first search engine for Internet-connected devices. It continuously crawls the public Internet to build a searchable database of servers, IoT devices, industrial control systems, routers, webcams, databases, and any other host that exposes a service. Shodan provides REST, Streaming, and Trends APIs along with on-demand scanning, network alerts, notifiers, DNS lookups, the InternetDB API, and the CVEDB vulnerability database. It is widely used for attack-surface management, security research, threat intelligence, vulnerability discovery, market research, and academic study of the Internet itself.

5 APIs 13 Features
SecuritySearchInternetDevicesIoTVulnerabilitiesCVEAttack SurfaceThreat IntelligenceReconnaissanceNetworkDNSScanningPublic APIs

APIs

Shodan REST API

The primary Shodan REST API exposes search methods, host lookups, on-demand scanning, network alerts, notifiers, the saved-query directory, DNS lookups, utility methods, account...

Shodan Streaming API

The Shodan Streaming API provides a real-time firehose of banner data as Shodan collects it. Filtered streams are available by ASN, country, port, and CVE. Output is either newl...

Shodan Trends API

Trends is the historical analytics API for Shodan, exposing breakdowns of historical scan results aggregated by facet (product, port, country, organization, etc.) by month. Acce...

InternetDB API

The InternetDB API is a free, unauthenticated lookup service that returns the open ports, CPEs, hostnames, tags, and known CVEs for any IPv4 address. The dataset is refreshed on...

CVEDB API

CVEDB is Shodan's open vulnerability database API. It provides CVE lookups, CPE-keyed vulnerability search, KEV filtering, EPSS ordering, and date-range queries. No API key requ...

Collections

Shodan REST API

POSTMAN

Arazzo Workflows

Shodan Account Overview

Pull the account profile, API plan limits, and the client's own IP.

ARAZZO

Shodan Alert With Notifier

Create a notifier, attach it via an alert, and arm a trigger for delivery.

ARAZZO

Shodan CVEDB Product Vulnerability Enrichment

Resolve a product to a CPE, search its CVEs, then pull full CVE details.

ARAZZO

Shodan Domain Reconnaissance

Enumerate a domain's DNS records, resolve a subdomain, and inspect the host.

ARAZZO

Shodan InternetDB Vulnerability Triage

Pull an IP's free InternetDB record, then detail one of its known CVEs.

ARAZZO

Shodan Network Alert Lifecycle

Create a network alert, enable a trigger, verify it, then update the IP set.

ARAZZO

Shodan Notifier Lifecycle

Create a notifier, read it back, update it, then delete it.

ARAZZO

Shodan Query Directory Explorer

Browse popular query tags, search the saved-query directory, then run a match.

ARAZZO

Shodan Resolve Hostname and Inspect Host

Resolve a hostname to an IP and pull the full Shodan host record for that IP.

ARAZZO

Shodan Reverse DNS to Host Info

Reverse-resolve an IP to its hostnames, then pull the full host record.

ARAZZO

Shodan Scan Then Inspect Host

Submit a single-IP scan, poll until done, then pull the fresh host record.

ARAZZO

Shodan Search Builder

Discover available filters and facets, validate a query, then count its results.

ARAZZO

Shodan Search to Host Detail

Estimate a search, run it, then drill into the first matching host.

ARAZZO

Shodan Submit On-Demand Scan and Poll

Submit an on-demand scan and poll its status until the crawl completes.

ARAZZO

Shodan Historical Trends vs Live Exposure

Pull historical monthly trends for a query, then compare to the live count.

ARAZZO

Pricing Plans

Shodan Plans Pricing

6 plans

PLANS

Rate Limits

Shodan Rate Limits

17 limits

RATE LIMITS

FinOps

Shodan Finops

FINOPS

Features

Internet-Wide Device Search

Search billions of indexed banners from servers, routers, webcams, industrial control systems, and IoT devices using a powerful query language with facets and filters.

Host Information Lookup

Retrieve all known information for an IP including open ports, service banners, geolocation, ASN/ISP, hostnames, vulnerabilities, SSL/TLS certificates, and detected technologies.

On-Demand Scanning

Submit IPs, CIDR ranges, or netblocks for an on-demand crawl using scan credits. Enterprise plans can request Internet-wide scans for a specific port or protocol.

Network Alerts and Notifiers

Create alerts on monitored IP ranges that fire when new services, changes, vulnerabilities, or expirations are detected, with delivery via Slack, email, webhook, and other notifier providers.

DNS Lookup Suite

Forward, reverse, and full-domain DNS lookups including subdomain enumeration backed by Shodan's passive DNS database.

Streaming Firehose

Subscribe to real-time banner data filtered by ASN, country, port, or CVE for SIEMs, data lakes, and bespoke analytics pipelines.

Trends Analytics

Run faceted queries against the full historical scan database to analyze product adoption, regional exposure, and changes over time.

InternetDB Free Lookup

Open, key-free lookup that returns the open ports, CPEs, tags, and CVEs for any IPv4 address; refreshed weekly.

CVEDB Vulnerability Database

Open vulnerability lookup with CPE search, KEV filter, EPSS sorting, and date-range queries.

Bulk Data Exports

Enterprise-tier daily and on-demand bulk exports of Shodan's underlying datasets for offline analysis and warehousing.

Organization Management

Enterprise organization support for sharing credits and managing members through the API.

Saved Query Directory

Browse, search, and tag community-contributed Shodan queries covering common technologies, exposures, and devices.

Notifier Providers

Built-in notification provider integrations for Slack, email, Discord, Telegram, webhook, and more.

Use Cases

Attack Surface Management

Continuously monitor an organization's external attack surface for new services, configuration drift, and vulnerable software.

Vulnerability Intelligence

Quantify exposure to specific CVEs across the Internet or a defined customer footprint using CVEDB and the search/trends APIs.

Threat Hunting and OSINT

Pivot from IPs, certificates, banners, and ASNs to map adversary infrastructure and discover related hosts.

Security Research

Study the distribution of misconfigured services, exposed databases, and emerging IoT ecosystems across the public Internet.

Competitive and Market Research

Track adoption of products, web servers, cloud providers, and frameworks across regions and industries using Trends.

Regulatory and Compliance Reporting

Demonstrate visibility into externally exposed assets for frameworks that require attack-surface inventories.

Insurance Underwriting

Inform cyber-insurance scoring with externally observable evidence of exposed services, vulnerabilities, and hygiene.

Incident Response

Triage IPs observed in alerts against Shodan history to determine who they are and what services they expose.

Integrations

Splunk

Shodan data is widely ingested into Splunk for security analytics via the streaming API and the Splunk add-on ecosystem.

Maltego

Shodan transforms for Maltego enable graph-based pivoting on banners, certificates, and IPs.

Slack

Notifier integration delivers alert events to Slack channels.

Email

Notifier integration delivers alert events to mailboxes.

Webhook

Notifier integration posts alert events to arbitrary HTTPS endpoints.

Discord

Notifier integration delivers alert events to Discord servers.

Telegram

Notifier integration delivers alert events to Telegram chats.

Steampipe

Official Steampipe plugin lets you query Shodan host, DNS, and exploit data using standard SQL.

Model Context Protocol

Multiple community MCP servers expose Shodan tools to AI assistants including Claude, Cursor, and VS Code.

Nmap

Shodan's CLI ships helpers to enrich Nmap scan output with Shodan-derived banner context.

Solutions

Shodan Monitor

Hosted attack-surface monitoring product built on the network alerts and notifiers APIs.

Enterprise Data Feed

Real-time firehose and daily bulk data exports for SOCs, threat intelligence platforms, and academic researchers.

InternetDB

Free, unauthenticated host lookup designed for embedding into security tools and dashboards.

CVEDB

Free vulnerability database with KEV and EPSS metadata for prioritization workflows.

Internet-Wide Scanning

Enterprise-only capability to request a scan of the entire Internet for a specific port or protocol.

Event Specifications

Shodan Streaming API

Real-time streaming firehose of banner data collected by Shodan, delivered as newline-separated JSON or Server-Sent Events. Subscribers can consume the full firehose or filter b...

ASYNCAPI

Semantic Vocabularies

Shodan Context

8 classes · 46 properties

JSON-LD

API Governance Rules

Shodan API Rules

11 rules · 6 errors 5 warnings

SPECTRAL

JSON Structure

Shodan Rest Alert Structure

0 properties

JSON STRUCTURE

Shodan Rest Host Structure

0 properties

JSON STRUCTURE

Shodan Stream Banner Structure

0 properties

JSON STRUCTURE

Example Payloads

Shodan Rest Search Example

2 fields

EXAMPLE

Shodan Stream Banner Example

2 fields

EXAMPLE

Shodan Trends Search Example

2 fields

EXAMPLE

Resources

🔗
PostmanWorkspace
PostmanWorkspace
🔗
Arazzo
Arazzo
🔗
Arazzo
Arazzo
🔗
Arazzo
Arazzo
🔗
Arazzo
Arazzo
🔗
Arazzo
Arazzo
🔗
Arazzo
Arazzo
🔗
Arazzo
Arazzo
🔗
Arazzo
Arazzo
🔗
Arazzo
Arazzo
🔗
Arazzo
Arazzo
🔗
Arazzo
Arazzo
🔗
Arazzo
Arazzo
🔗
Arazzo
Arazzo
🔗
Arazzo
Arazzo
🔗
Arazzo
Arazzo
🔗
Website
Website
🌐
DeveloperPortal
DeveloperPortal
🔗
Documentation
Documentation
🔗
APIReference
APIReference
💰
Pricing
Pricing
🔗
Plans
Plans
🔗
RateLimits
RateLimits
📝
Signup
Signup
🔗
Login
Login
🌐
Console
Console
🔑
Authentication
Authentication
🚀
GettingStarted
GettingStarted
🚀
GettingStarted
GettingStarted
🎓
Tutorials
Tutorials
🔗
KnowledgeCenter
KnowledgeCenter
🔗
Glossary
Glossary
💬
Support
Support
📰
Blog
Blog
🟢
StatusPage
StatusPage
📜
TermsOfService
TermsOfService
📜
PrivacyPolicy
PrivacyPolicy
📜
Legal
Legal
🔗
X
X
🔗
LinkedIn
LinkedIn
👥
YouTube
YouTube
👥
GitHubOrganization
GitHubOrganization
👥
GitHubRepository
GitHubRepository
👥
GitHubRepository
GitHubRepository
👥
GitHubRepository
GitHubRepository
👥
GitHubRepository
GitHubRepository
👥
GitHubRepository
GitHubRepository
👥
GitHubRepository
GitHubRepository
🔗
CLI
CLI
📦
SDKs
SDKs
📦
SDKs
SDKs
📦
SDKs
SDKs
📦
SDKs
SDKs
📦
SDKs
SDKs
📦
SDKs
SDKs
📦
SDKs
SDKs
📦
SDKs
SDKs
📦
SDKs
SDKs
📦
SDKs
SDKs
📦
SDKs
SDKs
📦
SDKs
SDKs
📦
SDKs
SDKs
📦
SDKs
SDKs
📦
SDKs
SDKs
🔧
Tools
Tools
🔧
Tools
Tools
🔧
Tools
Tools
🔧
Tools
Tools
🔧
Tools
Tools
🔧
Tools
Tools
🔧
Tools
Tools
🔧
Tools
Tools
🔧
Tools
Tools
🔧
Tools
Tools
🔧
Tools
Tools
🔗
SpectralRules
SpectralRules
🔗
Vocabulary
Vocabulary
🔗
FinOps
FinOps

Sources

Raw ↑
opencollection: 1.0.0
info:
  name: Shodan Trends API
  version: '1.0'
request:
  auth:
    type: apikey
    key: key
    value: '{{key}}'
    placement: query
items:
- info:
    name: Trends
    type: folder
  items:
  - info:
      name: Search Historical Trends
      type: http
    http:
      method: GET
      url: https://trends.shodan.io/api/v1/search
      params:
      - name: query
        value: ''
        type: query
        description: Historical Shodan search query (e.g. `product:nginx`).
      - name: facets
        value: ''
        type: query
        description: Comma-separated facets with optional size suffix (e.g. `country:10`).
    docs: Return monthly counts and faceted aggregations for a historical Shodan search.
bundled: true