Introduction
Security Operations teams are being asked to move faster, investigate more accurately, and utilize automation and AI to understand what is happening across not only their own environments, but outside their firewall as well. Google helps teams achieve this through the SecOps platform, but as SOCs are pressured to deliver on faster triaging, more in-depth investigations, wider hunting, and accurate detections, one thing becomes clear: quality, high-fidelity, world-class adversary external Internet intelligence data is key to fulfilling the goals of the AI-enabled SOC.
This is where Censys steps in.
Censys provides the foundational Internet mapping data that gives Google SecOps users rich, real-time context about IPs, web properties, certificates, active DNS, history, adversary clusters, and relationships — all in real-time. With the Censys for Google SecOps SOAR integrations, teams can automatically enrich their alerts with Censys data and get all the context they need to make quick, accurate decisions that proactively protect their organization.
Why External Infrastructure Context Matters
Many alerts begin with a simple indicator: an IP address, domain or certificate hash, for example. On its own, this indicator only tells part of the story. An analyst still needs more detail, such as:
- Is this infrastructure newly spun-up or has it been around for awhile?
- What services are exposed?
- Any certificates associated with it?
- Is this host malicious?
- Is that indicator related to other suspicious infrastructure?
- Was this service active when the incident was triggered?
- Has the host changed recently?
- Is this something we should block, hunt deeper, escalate or ignore?
Without context, analysts lose time pivoting across different tools, ingesting from multiple data sources, and reconstructing relationships to answer those questions above. It doesn’t matter whether those tasks are completed manually or automated with the help of AI; if the contextual data isn’t at the forefront of any decision, investigation, or detection, then teams will not get the results they expect, no matter how much AI they throw at it.
Censys closes that gap by bringing Internet-scale intelligence directly into Google SecOps workflows, so that those questions are answered immediately without needing to look elsewhere. And by injecting contextualized, evidence-backed data at the start, organizations can even reduce AI token costs.
Google SecOps + Censys: Enrichment Where Analysts Already Work
Google SecOps supports enrichment of indicators, events, and cases through playbooks, helping teams add context throughout their investigation, triage, detection and response workflows. The Censys integration extends that model with external Internet mapping intelligence without requiring analysis to leave their SecOps workflow. Censys actions can be run directly from a SecOps case or triggered automatically through playbooks. Currently, the integration supports these key actions:
- Entity enrichment for hosts, web properties and certificates. This can be a manual enrichment or automated.
- Rescan actions to refresh Censys observations outside of the scheduled scan.
- Historical lookups to understand how an asset has changed over time.
- Related infrastructure discovery to identify clusters of interest from an indicator.
This creates a stronger foundation for triage, threat hunting, detection engineering, and incident response use cases — everything that the AI-enabled SOC needs.
Let’s explore how Google SecOps + Censys works for each use case.
Use Case #1: Faster, Higher Confidence Alert Triaging
In a traditional SOC workflow, alert triage often starts with a basic question: “Is this worth investigating?”
Censys helps answer that question faster.
When an alert contains an IP address, domain, web property, or certificate, Google SecOps can invoke Censys enrichment to return external context such as exposed services, certificates, host details, web technologies, and security configurations. The actual IP address is also scored by Censys through its intelligent Reputation Scoring method that instantly lets analysts know if it’s malicious, high risk, medium risk, low risk, or benign.
If the Reputation Score is used in automated workflows, analysts can confidently triage thousands of alerts within minutes by ignoring the benign and low risk and concentrating on only malicious and high risk hosts.
The overall result is faster, accurate triaging with clearer reasoning.
Use Case #2: Threat Hunting Across Related Infrastructure
Threat hunters rarely care about a single IOC in isolation. The real value comes from understanding the broader cluster of infrastructure that surrounds it.
Censys enables this by allowing hunters to pivot from one observable IOC into related infrastructure. Through the Google SecOps integration, users can use the powerful CensEye to discover related assets for a host, web property, or certificate. This is especially valuable when threat actors reuse infrastructure patterns rather than exact indicators. A single IP may rotate out, but certificates or other configurations or naming conventions may reveal a larger campaign.
Inside Google SecOps, this allows hunters to move from an isolated IOC to an infrastructure-led investigation. This, in turn, supports a more proactive approach in the AI-enabled SOC, where teams proactively uncover adversary footprints instead of waiting for that indicator to become an alert in the future.
Use Case #3: Detection Engineering With Internet Mapping Context
Detection engineering becomes more powerful when rules are informed by external infrastructure context.
Google SecOps supports customer detection authoring using YARA-L and also enables users to leverage natural language and Gemini to search, iterate, drill down, and create detections. Censys now adds another layer: infrastructure intelligence that can help detection engineers understand what to look for and why it matters.
For example, detection engineers can use Censys to identify patterns such as:
- Newly exposed services associated with suspicious infrastructure.
- Certificates reused across multiple suspicious hosts.
- Web properties sharing technologies with known malicious infrastructure.
- Infrastructure that appears, disappears, or changes during a campaign window.
- Hosts with service histories that align with attacker staging or payload delivery.
This can help detection engineering teams move beyond static IOC-based detections and towards behaviorally informed infrastructure-aware detections. The value is not just detecting one bad IP, but understanding the infrastructure pattern well enough to detect the next one.
Use Case #4: Incident Response With Historical Asset Context
During incident response, timing matters.
Responders need to know what an external host looked like at the time of an event, not just what it looks like now. Censys historical data helps teams understand how a host appeared at a particular point in time, with scan snapshots and event history showing when services were added, removed or modified.
This is critical when investigating callbacks, credential theft, phishing infrastructure, or suspicious outbound connections. An IP may no longer expose the same service by the time an analyst investigates. A domain may have changed hosting providers. A service may have appeared briefly and disappeared, or a certificate may have rotated.
With Censys historical lookups available through the Google SecOps integration, responders can investigate infrastructure as it existed during the relevant incident window, helping teams track changes over time and giving incident responders better evidence for containment, scoping, and post-incident analysis.
Use Case #5: Rescans, Refreshing The Internet View When It Matters
Internet infrastructure changes constantly. Attackers rotate services, move infrastructure on the fly, update certificates, and stand up short-lived assets.
For the first four use cases, analysts need the latest view; the context they had just a few hours ago may already be out of date. A rescan lets analysts scan for any changes on-demand rather than having to wait for the scheduled scans, which may be too late. With the Censys rescan integration, Google SecOps can initiate a rescan of all data and return a scan ID that can be used to monitor status. This is especially useful when:
- An alert references infrastructure that may have changed since last observation.
- A suspicious service needs to be verified before escalation.
- A responder wants to confirm whether exposed infrastructure is still active.
- A hunter wants the freshest possible data before expanding an investigation.
For the AI-enabled SOC, rescans help ensure that automated reasoning is grounded in truth and current evidence, not stale observations.
Conclusion
The future SOC will not be defined by automation per se; rather, it will be defined by the quality of the data that powers automation and AI.
Together, Google SecOps and Censys can help security teams:
- Triage alerts faster with richer infrastructure context.
- Hunt beyond isolated IOCs into related infrastructure.
- Create stronger detections based on observable infrastructure patterns.
- Investigate incidents using current and historical internet asset data.
- Invoke manual or automated enrichment directly inside existing SOC workflows.
- Refresh observations with rescans when the latest Internet view is needed.
- Use CensEye to uncover related infrastructure and support deeper adversary investigations.
For the AI-enabled SOC, this is the difference between just reacting to alerts and being able to understand the infrastructure behind them.
Google and Censys are the perfect partners to enable AI-assisted security operations to be faster, more accurate, and more actionable than ever before.
