Security teams do not have a lookup problem. They have a judgment problem.
Most alerts that reference external infrastructure arrive as raw IPs, domains, or certificates with too little context to make a fast call. Analysts pivot across tools, compare weak signals, and try to decide whether the host is benign Internet noise, suspicious infrastructure, or something that deserves escalation. The result: slower, inconsistent triage.
Today, Censys introduces Reputation Score, a host-level 0–100 score for public Internet infrastructure. It gives security teams a faster way to judge risk, plus the evidence behind that judgment. In Censys, each host gets a score band from Benign to Malicious, with supporting evidence exposed directly in the product and API.
This is not about replacing analysis. This is about scaling good judgment across the SOC: saving analyst time, raising the floor for junior responders, improving AI outcomes, and giving senior teams better context for scoping and response.
Scaling Good Judgement
Good defenders already know how to reason about risky infrastructure.
Experienced practitioners do not decide a host is risky from one isolated clue. They look for a pattern.
That pattern might include deceptive web content, suspicious delivery behavior, anonymization overlap, abusive hosting, offensive tooling, or a combination of weak signals that become strong when viewed together. Andrew Northern of Censys ARC recently showed how this kind of technique-based hunting can surface real malicious infrastructure at scale. In his latest research, technique-based HTTP body hunting reduced the observable web to 42 actionable results with a confirmed malicious hit rate above 20%, while tracing a five-stage XWorm delivery chain.
That is the right mental model for Reputation Score.
The goal is not to collapse all nuance into a magic number. The goal is to compress the kinds of infrastructure reasoning skilled defenders already use into a signal that works inside real SOC workflows.
How Does Censys Achieve This?
Comprehensive scoring requires comprehensive inputs.
Plenty of vendors assign a score. That’s not the hard part.
You cannot score what you cannot truly see. That’s the Censys difference. Reputation Score is grounded in Censys’ first-party Internet scanning and direct observation of public Internet infrastructure, not stitched-together enrichment or partial downstream visibility. The result is a verdict built on broader coverage, better raw evidence, and a more defensible view of external risk.
Another important feature: can the analyst inspect the reasoning behind the score? Ours is built from evidence categories that include command-and-control or offensive tooling infrastructure, phishing or deceptive infrastructure, risky network environments, and anonymization infrastructure. Censys exposes the resulting evidence rather than hiding it behind a black box.
That changes how the score can be used.
A Tier 1 analyst can use it to make a faster close-versus-escalate decision. An incident responder can use it to decide whether an external host deserves scoping attention. A detection engineer can use it as a risk-oriented signal to prioritize tuning and response logic. And AI or automation workflows can use it as a stronger starting signal, rather than making brittle decisions from raw indicators alone.
Integrating Intelligence
This belongs squarely in the SOC.
Security alerts frequently reference external infrastructure that the organization does not control. Those alerts lack context, and to get it, analysts pull up a different console — outside of where their decision is being made.
That is why Censys is pairing Reputation Score with broader infrastructure context and integrations for SIEM, SOAR, and threat intelligence workflows. Think of it as embedded infrastructure intelligence: asset context, service exposure, history, related infrastructure, and live rescans delivered where analysts already work.
A useful verdict should not force another swivel-chair workflow.
Example 1: Clearly malicious, obvious phishing verdict
A redacted host scored Malicious Risk (82) after Censys identified a phishing workflow in plain view: an HTTP service on port 4000, a redirect to /login, and a page titled “Evilginx | Login” prompting for credentials.
For an analyst, this is exactly the kind of case where a clear score plus visible evidence shortens the path from raw IP to confident escalation.
The point is not that analysts could never figure this out manually. It’s that they should not have to assemble the verdict from scratch when the infrastructure already presents a clear phishing pattern.
Example 2: Suspicious, but not automatically malicious
A redacted host scored Medium Risk (51)— not because Censys saw a single decisive malicious signal, but because the infrastructure combined two things analysts should care about: strong anonymization indicators and a recent history of security-tool exposure.
The host currently presented as a normal Wiki.js site and login page, which is exactly why this kind of example matters.
Reputation Score is useful here not because it overreacts, but because it gives analysts a defensible reason to look closer.
That is the kind of measured judgment security leaders want from a scoring system: enough signal to drive scrutiny, without the noise and overreach that erode analyst trust.
Example 3: High score first, confident pivot second
A redacted host scored Malicious Risk (92) based on a combination of anonymization and command-and-control style evidence, which was already enough to justify immediate attention. But the score was only the start.
The host also exposed a suspicious web-accessible filesystem with files like c.bat, AV.scr, photo.scr, and video.scr, along with a large number of CVEs across its exposed services. Those filenames are not proof by themselves, but they resemble the kinds of lure or staging artifacts analysts often see when payloads are made to look casual, harmless, or media-related.
The host was also geolocated to China, which would matter to many US-based defenders not because geography alone proves maliciousness, but because it can make the activity less explainable, less obviously legitimate, and harder to ignore when paired with the other signals already present.
From there, CensEye pivots opened up the bigger picture: related infrastructure with distinct body hashes, titles, and favicons, including one pivoted host running an old vulnerable FRP instance (an open-source reverse proxy application).
That is the operational value here. The score creates urgency. The pivots create understanding.
Powering Defensible Decisions
A better verdict requires a broader view.
A reputation score is only as credible as the visibility behind it.
The modern SOC needs a real Internet intelligence layer, not more static, stale indicators. Censys is framing that layer around real-time global Internet visibility, Censys ARC’s infrastructure-level intelligence, and data structured for automation and analyst workflows.
That is the deeper point of this launch.
Reputation Score is not just a number added to a host card. It’s an attempt to turn broad Internet visibility into a clearer operational judgment. Seeing the Internet is useful. Understanding what its signals mean, quickly and consistently, is what actually improves security operations.
What This Launch Really Does
Our SOC Workflow Tax post argued that analysts waste time assembling Internet context by hand from scattered tools and stale feeds. Reputation Score extends that same idea. It gives analysts a faster, more consistent answer to the first question they ask when an external IP shows up in an alert:
How worried should I be?
Not with a black-box verdict. With a score backed by evidence, built on broad Internet visibility, and designed to fit the way security teams actually work.
Censys isn’t trying to be your SIEM, EDR, or your entire threat intel program. It’s the ground-truth layer that makes those systems sharper. It’s a reduction in friction, so your analysts can spend their limited attention on decisions that matter.
Censys already fuels everything from Verizon DBIRs to ISAC briefings and bulletins. Now let it fuel your investigations and triage. Learn more about how Censys powers the SOC, or request a demo to start exploring how Censys can streamline your SOC workflows.
