Knogin
[Developers]

OSINT Intelligence: Shodan Internet Exposure

Before an attacker exploits a vulnerable service, they find it. Shodan does what adversaries do: it continuously scans the global IPv4 space, catalogs every reachable service, and records banners, certificates, software

Back to All Modules
Category: IntelligenceLast Updated: Mar 18, 2026
intelligence

Overview#

Before an attacker exploits a vulnerable service, they find it. Shodan does what adversaries do: it continuously scans the global IPv4 space, catalogs every reachable service, and records banners, certificates, software versions, and vulnerability references. The difference is that defenders can use the same data proactively. Security teams at utilities, financial institutions, critical infrastructure operators, and managed security providers query Shodan to understand what their organisation looks like from the outside, and to catch exposures before they become incidents.

Argus integrates with Shodan to surface external attack surface intelligence for organisations and their monitored assets. Shodan results are persisted as structured host intelligence records, enriching IP indicators from threat intel feeds with real-world exposure data and enabling proactive attack surface monitoring.

Key Features#

Host Intelligence Queries#

Use queryShodan to trigger a Shodan-backed sync through the integration client and persist the returned host intelligence to PostgreSQL scoped to the organisation. Returned host records include open ports, service banners, detected software versions, CVE references, operating system, ASN, geographic location, and Shodan tags (VPN, ICS, database, and others).

Clearance-Filtered Access#

Host records carry secrecy_level tags. In joint intelligence environments where Shodan data is used to build classified network assessments, records can be tagged accordingly and restricted to cleared personnel.

Inventory and Statistics#

The shodanHosts query returns all collected host records for an organisation, filterable by port, service, or tag. The shodanStats query aggregates counts by service type and CVE severity.

Use Cases#

  • Critical Infrastructure Exposure: Identify internet-facing OT/SCADA systems within monitored IP ranges before adversaries do. Shodan's ICS tags flag BACnet, Modbus, and SCADA-protocol-speaking devices.
  • Vulnerability Prioritization: Correlate Shodan-reported CVEs against the asset inventory to prioritize patching for externally visible vulnerabilities before conducting deeper internal scanning.
  • Threat Intel Enrichment: When a MISP indicator or STIX report references an IP address, pull its Shodan record to understand what services the adversary is operating, for example C2 server infrastructure research.
  • Third-Party Risk Assessment: Query Shodan for IP ranges belonging to partner organisations or supply chain vendors to assess their external security posture as part of procurement due diligence.

Integration#

Available via GraphQL: shodanHosts, shodanStats (queries); queryShodan (mutation). All operations require authentication and organisation scoping.

Compatible with Shodan REST API v1. Works alongside SpiderFoot (comprehensive OSINT automation), GreyNoise (noise filtering), and MISP (IOC enrichment). Shodan host data feeds into OpenCTI for structured threat intelligence management and integrates with Cortex (TheHive) for analyst-driven enrichment workflows. Part of the 153 third-party integrations accessible through the Argus provider orchestration layer.

Open Standards#

  • CVE (Common Vulnerabilities and Exposures): Shodan-reported vulnerability identifiers are stored in the vulns field and surfaced directly, enabling correlation of externally visible service exposures against the globally recognised CVE catalogue.
  • GraphQL: All queries (shodanHosts, shodanStats) and mutations (queryShodan) are exposed via a typed GraphQL API, allowing clients to request precisely the host intelligence fields they need.
  • OAuth 2.0 Bearer Token (RFC 6750): The integration client authenticates to the Shodan REST API using a Bearer token in the Authorization header, conforming to the OAuth 2.0 token usage specification.
  • STIX (Structured Threat Information eXpression): Shodan host records interoperate with STIX-based workflows; IP indicators from STIX reports can be enriched with Shodan exposure data, and results are forwarded to OpenCTI for structured threat intelligence management.
  • TLS / X.509 (RFC 5280): Shodan captures and returns TLS certificate metadata for scanned hosts; this certificate data is ingested as part of the host intelligence record, supporting certificate-based exposure analysis.
  • JSON (RFC 8259): All data exchanged between the Shodan REST API and the integration layer is in JSON format; host intelligence records are parsed, stored, and returned as JSON-serialisable structures throughout the pipeline.

Last Reviewed: 2026-03-18 Last Updated: 2026-04-14

Ready to Build?

Get started with our APIs or contact our integration team for support.