Gainullina Ekaterina, Security Vision
Introduction
The third part of the comparative review examines two relatively new, but already noteworthy tools - Netlas and Criminal IP. These platforms appeared on the market in 2022 and offered a fresh look at the tasks of OSINT, external infrastructure monitoring and cyber threat analysis .
Netlas focuses on domain names, uniform data freshness and ease of monitoring, positioning itself as a tool for External Attack Surface Management. Criminal IP, in turn, combines the functions of an Internet scanner with the capabilities of a cyber intelligence platform , including automatic analysis of phishing sites, IP risk assessment and image search.
This section takes a detailed look at the architecture and features of these services, examples of their use in practical cases, and assesses their role as a complement to more well-known solutions such as Shodan, Censys, and FOFA.
Netlas is a new player with a focus on domains and data freshness
General characteristics
Netlas is a relatively young (founded in 2022) network asset search engine developed by a team from Eastern Europe. Netlas stands out for a number of interesting approaches: it indexes not only IP addresses, but also domain names, and also strives to ensure uniform relevance of data across all services. Netlas is positioned as a tool for External Attack Surface Management (EASM) – in addition to searching, the service offers monitoring and private scanning functions on request, focusing on the tasks of companies to track their external infrastructure.
Scanning and data
Netlas public scanners regularly scan up to 146 ports on each IP (141 TCP and 5 UDP). This is less than Shodan or ZoomEye , but Netlas compensates by focusing on the most important services. This list includes all standard web ports (80, 443, 8080, 8443), mail protocols (25, 587, 465, 110, 995), databases (27017, 3306, 5432 etc. ), VPN (1194, 500, 1701...), industrial protocols (102, 502) and other popular services. The full list is published in the Netlas documentation. Scanner is a separate feature for clients, which can scan an extended list (~1300 ports) on request, bringing the coverage closer to ZoomEye . The main difference with Netlas is that it scans all selected ports evenly. If a host is included in the current scan, it will immediately update information on all 146 ports, regardless of their popularity. This prevents a situation typical for Shodan /FOFA, when port 80 on one IP was updated yesterday, and port 8080 - a month ago (and the banner may be outdated). Netlas , on the other hand, believes that the "freshness" of the data should be consistent across the host.
Netlas indexes domain names in parallel with IP. When detecting a web service, Netlas records all domains/ subdomains found in its certificates or banners and maintains a separate DNS index. This makes Netlas very strong in searching by domain names and related records. You can search by domain pattern ( domain :"*.example.com"), by DNS content (for example, dns. txt :"v=spf1 include:mailgun.org" to find all domains whose SPF records point to Mailgun ), or by SSL certificate properties (cert.subject.CN="example.com"). This focus on DNS has an interesting effect: Netlas finds significantly more unique web resources. In tests, the number of records on ports 80/443 for Netlas was several times higher than that of competitors - due to taking into account virtual hosts and domain aliases . For example, Netlas counts ~344 million services on port 80, while FOFA has ~66 million and Shodan has ~145 million. However, if you count only unique IPv4 addresses, the difference is not so dramatic: Netlas detects ~44 million active IPv4 with port 80, which is close to Censys (~51 million). That is, Netlas includes many DNS names pointing to the same IPs (which can be both useful and redundant - depending on the task). Nevertheless, this approach is convenient when analyzing the external web resources of a company: you can immediately see all the domains leading to one server.
Search language and interface
Search in Netlas is very flexible. The service has a modern web interface with an advanced UI and its own DSL ( domain-specific language ) for queries. Formally, queries are similar to JSON conditions: for example, you can write protocol :"HTTP" or combine several conditions via AND/OR. However, for convenience, Netlas supports a syntax similar to Shodan /FOFA - in fact, most queries in the style of port:443 country:RU are understood product:Apache , even if they are not fully JSON-compliant. There are filters by IP, port, domain, hostname, technology (server name or banner fingerprint, such as tech:nginx ), country/ASN, certificate parameters (such as cert. subject :"CN=example.com", or certificate SHA-1 hash ), HTTP content (http.title, http.body ), and more. Fields and operators are documented on the site. An example of a complex query: "find all devices with open RDP that have an SSL certificate issued by "Microsoft" and the word "Windows" on the web page" - in Netlas this can be expressed as a combination of conditions by port 3389, the certificate issuer field , and HTML search. Moreover, the Netlas language supports fuzzy search - the ability to search by partial string matches, which is useful when you don't know the full name exactly. The Netlas interface includes convenient auto-completions and ready-made query templates: there is a Featured library Queries with examples for different cases (search for open cameras, search for Jenkins panels , etc.). The results are shown as a table, which can be sorted and filtered directly in the UI (for example, filter the found hosts by country or technology without a new query).
The screenshot shows the results of a request to port:8080 in the Netlas.io platform
Unique features
In addition to focusing on domains, Netlas offers built-in DNS Lookup and WHOIS lookup tools from the interface – that is, in fact, it can replace the usual dig / whois utilities . When viewing a domain card, you can immediately see its DNS records (A, MX, TXT, etc.) and WHOIS information without additional requests. There is also a separate search for SSL certificates (similar to Censys ): you can search for hosts by the SHA-1 fingerprint of the certificate or by a substring in Subject / Issuer . In terms of data, Netlas emphasizes quality and relevance: for example, when giving results, the service tries not to show "extra" - it cuts off a lot of junk banners (like repeating CDN banners / errors), normalizes geolocation, merges duplicate DNS records. Thanks to this, search results are often cleaner than Shodan (where sometimes the same host can appear several times through different domains).
Examples of use
Netlas is a great choice for reconnaissance tasks of a company's external infrastructure. For example, a specialist needs to find out which subdomains of company X have open ports and what works on them. In Netlas, he can get all domains associated with the company and their services with one request domain : "*.companyx.com" - this includes those that point to one IP (virtual hosts), and those distributed across different IPs. Then you can sort by ports, identify rare services. Another case - Netlas is convenient for searching for specific content on web pages in combination with filtering by domains. For example, bug hunter can search Netlas for all Zyxel device pages (banner:"ZyXEL") and immediately filter by the word "vulnerable" in the text - this way it will identify which of them show a vulnerability warning on their page. Netlas is also suitable for vulnerability monitoring due to its uniform update: you can save a request like product :" Apache httpd " AND cert. subject :" SomeCorp " (search for all Apache web servers of a certain company) and monitor if they get a new port or certificate changes – Netlas will send a notification. In redteaming Netlas is valued for its ability to quickly deploy a private scan of a desired subnet before an attack – for example, a team can scan an internal /24 range with non-standard ports using Netlas Private Scanner , and immediately get the result in the familiar interface. This saves time on setting up your scanners. In a word, Netlas aims to combine the advantages of Shodan (search by banners) and Censys (search by structure + ASM) with the addition of DNS measurement. It is still young, but already closely competes with the "veterans" in capabilities.
Criminal IP – Threat Search with Artificial Intelligence
General characteristics
Criminal IP is the newest service in our review, launched in 2022 by the South Korean company AI Spera. Unlike previous search engines, Criminal IP (CIP) is positioned not only as an Internet scanner, but also as a cyber intelligence platform ( Cyber Threat Intelligence ). Its goal is to combine active scanning data with threat intelligence ( malware , phishing , malicious activity) and provide a handy tool for assessing the "maliciousness" of any IP address or domain. In simple terms, if Shodan / Censys says "what is open on this host", Criminal IP aims to add "how dangerous is this host".
Scanning and data
Criminal IP, like others, automatically collects data on IP addresses and ports around the world in real time. But its sources are varied: they use their own active port scanners, passive sensors (for example, deployed honeypots ), malicious traffic analysis, blocklist databases, etc. The developers claim that their system checks thousands of ports daily and collects banners of web services, databases, industrial systems, IoT devices, cryptocurrency node , etc. – including not only well-known ports, but also registered (1024–49151) and dynamic (49152–65535). In fact, CIP also tries to scan the entire port network (like Censys ). Plus they combine this with passive data: for example, if some IP is noticed by a honeypot sensor as a scanner or as a source of attacks, this also gets into the database. As a result, Criminal IP accumulates a huge amount of metadata: geolocation, WHOIS, domains, screenshots of web pages, IP blacklisting (DNSBL), information about malware activity (for example, whether the IP connected to the botnet command server ), etc. In total, the developers claim an index of more than 4.2 billion IP addresses (that is, virtually all IPv4) with different levels of information (FOFA Reviews - 2025).
Search And interface
Criminal IP implements 4 main species Search: Asset Search, Domain Search, Image Search and Exploit Search.
Asset Search – search by IP addresses and ports, similar to Shodan . Filters by country, port, service, keywords in the banner, presence of vulnerabilities are supported. For example: country:KR port:3389 has:vuln – will find all open RDPs in South Korea where CIP detected a vulnerability (for example, by protocol version). Or ip:203.0.113.0/24 status:404 – will show all hosts in this subnet where the web server responds with HTTP 404 (yes, CIP can filter by HTTP statuses). In essence, the Asset language Search is similar to Shodan /FOFA, with additional filters like status : and has:vuln.
Domain Search is a unique feature of CIP: it allows you to enter a URL or domain and get a detailed report about the site. It is somewhat similar to services like urlscan.io: CIP itself goes to the page, takes a screenshot, analyzes the content for phishing or malware, collects all links and associated domains, and even gives recommendations on the site's safety. In fact, Domain Search is an online web page scanner. Very useful for quickly analyzing suspicious URLs: instead of manually opening a potentially dangerous site, you can run Domain Search and get information about it safely.
Image Search is a very interesting feature: CIP indexes images (screenshots of screens, cameras, etc.) and allows searching by image pattern. That is, you can upload a picture, and CIP will find similar ones among the screenshots in its database. For example, by uploading a screenshot of the interface of an IoT camera, you can find all similar cameras - useful for identifying the brand of the device by the appearance of the interface. Or, as the developers demonstrated, you can search by text on the screenshot: CIP does OCR (text recognition) and indexes what is written on the picture. For example, you can find all RDP screenshots containing the word "encrypted" - this is how machines infected with ransomware were identified (which showed a message about encryption on the desktop). This is a completely new search angle, absent in other services under consideration.
Exploit Search – a section for searching for known exploits and vulnerabilities. In fact, this is a built-in search in exploit-db, Metasploit and other databases, associated with Asset Search. You can enter the name of the vulnerability or CVE, and CIP will show a description and a list of IPs/domains associated with this vulnerability. It looks like a separate directory, but it is integrated: having found a host with a vulnerable service on Asset Search, you can click CVE and see an exploit for it, or vice versa – from the Exploit section go to the search for vulnerable hosts.
Criminal IP interface is modern, supports several languages (English, Korean, Japanese, French). The main page is a single line, you can switch between search types. The Asset Search results are presented in a table: IP, list of open ports, Risk Score , tags. You can see right away whether the IP is marked as malicious, proxy /VPN, botnet, etc. By clicking on the IP, we open a detailed report:
Example: Criminal report IP by separate address (fragment). IP indicators are visible Scoring – 99% Inbound (incoming risk is critical) and 40% Outbound (outgoing low), Detection summary (it was detected that this is Hosting IP ), Current list Open Ports (22, 80, 443, 2048, 8080, 8443) labeled " This has vulnerabilities " for some. On the right are the attributes : Proxy IP (No), VPN IP (N/A), Tor IP (No), Hosting IP (True). This IP is clearly compromised. Source: Criminal IP Asset interface Search.
IP Risk is displayed in large format at the top of the report. Scores – two ring indicators: Inbound (how dangerous the IP is for you if traffic comes from it) and Outbound (how dangerous it is if traffic comes to it). For example, 99% Inbound means that the IP is known to be malicious (it should not be allowed into the network), and 40% Outbound means that the risk coming from it is low (it probably does not attack on its own). Below is the Current section Open Ports with a list of open ports, indicating services and the presence of vulnerabilities (CIP immediately marks in red "this has vulnerabilities" for ports where vulnerable versions were found). On the right is displayed Summary /Detection: Country , ASN, and flags – Proxy IP: Yes/No, VPN IP: Yes/No, Tor IP: Yes/No, Hosting IP: Yes/No, Mobile IP, CDN IP, Scanner IP, Special Issue and etc. That is, CIP tries to classify whether a given IP is a VPN exit, a Tor node, a cloud server, a mobile address, a known scanner, etc. There are also Abuse sections history (how many times the IP appeared in incidents, for example, in botnet logs ), Malicious history (summary of malicious activity: whether it has been involved in phishing mailings, mining, etc.), Connected domains (related domains, such as PTR records and domains from SSL), Webcam data (if it's an IP camera, CIP can show frames), Screenshot pages, and much more. Essentially, Criminal IP collects on one page everything that can be learned about an IP from open sources plus from its scanner.
This aggregated approach allows you to immediately understand how dangerous an IP is and what threats are associated with it. If Shodan provides "raw" data, then CIP also provides context: for example, it will show that this IP is listed in 5 botnets , an attack on a bank was carried out from it, it is open on 10 ports, two of which are vulnerable, and a phishing domain is hanging on it. Obviously, such an IP is a candidate for blocking in any security system.
API and integrations
Criminal IP provides a full REST API for all functions (search, receiving reports, launching a URL scan). Documentation is on the website. It is nice that CIP immediately thought about the ecosystem: there are already ready-made integrations with third-party SIEM/SOAR systems. For example, modules for Splunk, QRadar, integration with Cisco SecureX , a VirusTotal plugin, Maltego transformations , etc. Cisco praises CIP in its blog: their integration allows you to enrich alerts with CIP data (risk scores, associated domains, abuse history) directly in the SOC. There is also a browser plugin CIP Inspector (shows IP information directly on the web page - an analogue of the Shodan plugin, but with an emphasis on threats).
Access to the API is limited through a credit system. The initial free plan (Community) gives out a certain number of credits (for example, 100 Asset Search queries and a couple of Domain scans per month - the numbers may change). This is enough to try out the service. Then there are paid plans: Basic (~$29/ month ), Professional (~$99/ month ), etc., with an increasing number of credits for searches and scans. For example, Basic may give 1000 Asset searches and 50 Domain scans monthly, Pro - more. AI Spera updates the exact numbers on its website. There are also custom solutions for enterprises (for example, separate threat data feeds ). In general, the CIP model is closer to SaaS services than Shodan: you pay not just for the results, but for analytics and reports.
Examples of use
Criminal IP is a specialized tool for analyzing cyber threats and filtering out "noise". It is often called a replacement for the simultaneous use of Shodan + GreyNoise + VirusTotal . Indeed, CIP covers several tasks: firstly, it allows you to quickly understand by IP whether it belongs to known scanners (like GreyNoise) or malicious botnets (like VirusTotal, AbuseIPDB). Secondly, it contains the functionality of an Internet scanner (like Shodan ) to identify open ports and services. The combination of these capabilities provides the following application:
· Filtering false positives in SOC: An analyst sees an IDS triggered by some IP. He checks IP in Criminal IP and sees that IP Scoring Inbound: 0 %, Outbound: 0%, Scanner: Yes. That is, the IP is just a scanner (for example, a search engine or research one), and does not pose a threat. This means that the incident does not need to be escalated. Or, on the contrary, a request for access from an external IP to the system comes in – the CIP check shows Inbound Risk 85% and the tags Malicious : Yes , Proxy : Yes , Hosting : Yes – most likely, this is suspicious traffic through an anonymizer, it’s worth taking a closer look.
· Threat hunting : The team proactively searches for C2 servers or compromised hosts. Through CIP Image Search, they can, for example, find screenshots with the inscription " Your files have been encrypted » – obviously infected ransomware machines. CIP shows their IP and domains – you can notify the owners or check if these are our systems. Another example: via CIP Exploit Search you can find fresh exploits and immediately get a list of IPs to which this exploit is applicable (according to the software version). That is, CIP speeds up the hunter's work, immediately giving a list of potential targets for checking.
· Phishing and malware analysis : Having received a suspicious URL, the analyst launches Domain Search in CIP. In a minute he has a screenshot of the site, analysis that the site is trying to imitate a Microsoft 365 page ( Phishing : High ), the domain was registered anonymously yesterday, is hosted on an IP from a data center in Ukraine, and there are also 3 more suspicious domains hanging on it. This kind of CIP report allows you to quickly make a decision - block the domain, add IOC to the database, etc. This is much faster than manually collecting this information piece by piece.
Of course, Criminal IP is a complementary tool, not a replacement for Shodan or Censys. It has less coverage by devices (the focus is still on threats, not on the maximum completeness of scanning). However, CIP provides a fresh perspective on the security problem: combining scanning data with threat context. It is already being integrated into commercial solutions (example with Cisco SecureX ), and over time it may become a standard element of SOC tools. In the meantime, for individual researchers, CIP is a valuable resource for incident investigation, attack analysis, and detection of malicious infrastructure.
Conclusion
The platforms reviewed complement each other in many ways. Shodan is indispensable for quickly finding exposed devices and known vulnerabilities - it is promptly updated and easy to use. ZoomEye and FOFA are useful for expanding the search horizons - they have a wider coverage of ports and content, they often find what Shodan missed (especially in the Asian segment and by content features). Censys provides depth and structure - when you need to describe the host configuration in detail and cover all ports, it has no equal. Netlas brings a fresh approach with an emphasis on domains and relevance - it is a powerful tool for inventorying the external attack surface of a company, monitoring changes and OSINT investigations on DNS. Criminal IP goes beyond just device searches: it closes the threat niche intelligence , allowing you to immediately get an idea of the danger of an object and combining the scanner with threat analytics.
In practice, security specialists, including Security Vision , often combine several tools for maximum coverage. For example, when working on an attack scenario, the team can: find candidates via Shodan, then refine the details (all ports, configurations) via Censys, check additional domains and records via Netlas, scan for exploits via ZoomEye/FOFA and, finally, assess the risk and activity history of the target via Criminal IP. This multifaceted approach gives the most complete picture. Of course, there are not always resources and subscriptions for everything at once - so the choice of tool depends on the tasks.
To summarize the key areas of application:
· For a quick search for vulnerabilities and open services (classic pentest ) – Shodan or ZoomEye (with a subscription) give the fastest results.
· For deep inventory of the outer surface (for example, in bug bounty on a large enterprise) - a combination of Censys (all ports, TLS data) and FOFA (content search, subdomains ) will reveal the most.
· Netlas and Shodan (Monitor function) are the best options , plus it makes sense to enable Censys ASM for comprehensive change control.
· To respond to threats and threats hunting – definitely Criminal IP (risk context) along with GreyNoise (if you want a cross-section of scanners) and, again, Shodan (which has an Exploits section and MalwareHunter for C2 searches).
It is important to note: the relevance of the information is a key factor. Despite all the achievements, any of the services considered may have outdated data on unpopular hosts or specific services. It is always useful to double-check critical findings with direct scanning (for example, nmap ) or manually. However, Internet scanners significantly speed up the work and allow you to see the "big picture" on a global scale - something that is impossible to do manually.
.jpg)