Knogin
[Inlichtingen]

OSINT Intelligence: Shodan Internet Exposure

Argus integrates with Shodan, the internet-connected device search engine, to surface external attack surface intelligence for organisations and their monitored assets. Shodan continuously indexes internet-facing service

Modulemetadata

Argus integrates with Shodan, the internet-connected device search engine, to surface external attack surface intelligence for organisations and their monitored assets. Shodan continuously indexes internet-facing service

Terug naar Lijst

Bronverwijzing

content/modules/osint-shodan-internet-exposure.md

Laatst bijgewerkt

18 mrt 2026

Categorie

Inlichtingen

Inhoudschecksum

9f417294a8d044cd

Tags

intelligence

Gerenderde documentatie

Deze pagina rendert de Markdown en Mermaid van de module direct vanuit de publieke documentatiebron.

Overview#

Argus integrates with Shodan, the internet-connected device search engine, to surface external attack surface intelligence for organisations and their monitored assets. Shodan continuously indexes internet-facing services, banners, TLS certificates, device types, and vulnerabilities across the global IPv4 space. Within Argus, Shodan results are persisted as structured host intelligence records, enriching IP indicators from threat intel feeds with real-world exposure data and enabling proactive attack surface monitoring.

Key Features#

Host Intelligence Queries#

Submit IP addresses or CIDR ranges to 

syncShodanIntel
, and Argus queries the 
fetch_shodan_intel_data
client against the Shodan API. Returned host records include open ports, service banners, detected software versions, CVE references, operating system, ASN, geographic location, and Shodan tags (VPN, ICS, database, etc.). Results are persisted to PostgreSQL scoped to the organisation.

Clearance-Filtered Access#

Host records carry 

secrecy_level
tags. In joint intelligence environments where Shodan data is used to build classified network assessments, records can be tagged accordingly and restricted to cleared personnel.

Inventory and Statistics#

The 

shodanIntelItems
query returns all collected host records for an organisation, filterable by port, service, or tag. The 
shodanIntelStats
query aggregates counts by service type and CVE severity.

Use Cases#

  • Critical Infrastructure Exposure: Identify internet-facing OT/SCADA systems within monitored IP ranges before adversaries do -- Shodan's ICS tags flag BACnet, Modbus, and SCADA-protocol-speaking devices.
  • Vulnerability Prioritisation: Correlate Shodan-reported CVEs against the asset inventory to prioritise patching for externally visible vulnerabilities before conducting deeper internal scanning.
  • Threat Intel Enrichment: When a MISP indicator or STIX report references an IP address, pull its Shodan record to understand what services the adversary is operating -- C2 server infrastructure research.
  • Third-Party Risk Assessment: Query Shodan for IP ranges belonging to partner organisations or supply chain vendors to assess their external security posture as part of procurement due diligence.

Integration#

Available via GraphQL: 

shodanIntelItems
, 
shodanIntelStats
(queries); 
syncShodanIntel
(mutation). All operations require authentication and organisation scoping.

Compatible with Shodan REST API v1. Works alongside SpiderFoot (comprehensive OSINT automation), GreyNoise (noise filtering), and MISP (IOC enrichment).

Last Reviewed: 2026-03-18