Shodan

What is Shodan?

Shodan is a search engine for internet-connected devices and services, continuously scanning the public internet and indexing everything it finds: servers, routers, industrial control systems, security cameras, databases, and any other device with an exposed network port. For security teams, Shodan serves two primary purposes. The first is attack surface management: by searching for an organization's IP ranges, domain names, and SSL certificates, teams can identify assets that are unintentionally exposed to the internet, discover shadow IT, and find services running outdated or vulnerable software versions. The second is threat intelligence: Shodan can be used to identify infrastructure operated by threat actors, track the spread of specific vulnerabilities across the internet, and correlate suspicious IP addresses encountered in investigations with known hosting patterns associated with malicious campaigns.

How does Shodan work with Qevlar?

Qevlar uses Shodan to enrich IP addresses and domains encountered during automated investigations. When an investigation involves an unknown external IP or domain, Qevlar can query Shodan to determine what services are running on that infrastructure, whether it is associated with known malicious hosting, and whether it shares characteristics with other infrastructure linked to the same threat actor.