The need for real-time, accurate internet intelligence has never been more critical. Security teams face the daunting task of managing internet exposure, tracking emerging threats, and detecting compromises in a landscape where attacks can originate from once-trusted networks, and infrastructure constantly shifts in ephemeral cloud environments. These challenges underscore the need for a comprehensive, real-time view of the internet to effectively manage exposures, track emerging threats, and swiftly detect vulnerabilities.
Good Enough Data Isn’t Good Enough
The cybersecurity market is inundated with vendors offering data and threat intelligence solutions, yet security teams frequently encounter a critical issue – the data they rely on is often incomplete and outdated. This reality places a heavy burden on these teams, leading to an exhaustive cycle of sifting, filtering, and verifying information for accuracy.
In a domain where time equates to security, the ability to rapidly identify a suspicious server can drastically alter the effectiveness of response strategies. This speed is not a luxury, but a necessity; identifying threats within hours, not weeks, can be the difference between a contained incident and a full-blown breach. Researchers and threat hunters, in particular, depend on precise and timely data about hosts and services. This information is pivotal in augmenting network logs and constructing accurate timelines of infrastructure activity, aiding in the early detection and mitigation of threats.
Raising the Bar Through Rigorous Self-Benchmarking
At Censys, we want to do more than claim we have unmatched internet intelligence–we want to prove it. That’s why our research team set out to benchmark our own scanning engine against the nearest competitor in the market. This self-imposed challenge was more than a test of technology; it is a reflection of our dedication to being the one place to understand everything on the internet.
By evaluating our scanning engine’s performance in detecting newly opened ports, we aim to better understand areas in our data collection and scanning that offer opportunities for improvement. This benchmarking was not just an internal exercise, but a clear message to our customers that when they choose Censys, they are choosing a partner who is unwavering in their commitment to delivering the most complete, contextual, and up-to-date index of the hosts and services on the internet.
Deploy the Honeypots and Let the Testing Begin
Our objective was clear: to measure and compare the speed and accuracy of Censys’s detection capabilities against those of our nearest competitor. To achieve this, we employed a strategic approach by simulating a slice of the internet using honeypots.
Honeypots are essentially dummy servers designed to mimic real internet hosts, acting as bait to attract interactions. We deployed over 300 honeypots across various regions within Google Cloud. Each honeypot was configured to expose six widely-used TCP-based services, each associated with a specific port: FTP (21), TELNET (23), HTTP (80), HTTPS (443), SSH (2222), and MYSQL (3306). These services were chosen due to their widespread use and the commonality of threats associated with them, making them ideal for a robust and realistic assessment.
The activation of these honeypots was carefully staggered. We started them at different days of the week and times of the day to simulate a varied internet environment. This approach not only added complexity to the test but also ensured a comprehensive evaluation of the scanning engines’ capabilities in different scenarios. The critical metric of this benchmarking was the speed at which Censys and our nearest competitor could detect these newly activated hosts.
The Results Speak for Themselves – Censys Found New Services 6 Times Faster Than The Nearest Competitor
The outcomes of our benchmarking exercise were both revealing and affirming. In the critical first 24 hours after a honeypot service went online, Censys demonstrated a significant lead in detection capabilities, detecting over 80% of services on average, in stark contrast to our nearest competitor, which found only 12%. This pattern held consistent across different ports, underscoring the thoroughness of our scanning engine.
As we extended the observation period beyond the initial 24 hours, Censys’s performance remained unmatched. Within a week, every single honeypot service was discovered by Censys, while the competitor identified only 57% of the services on average. Even in their best-performing area, on port 2222, they detected a maximum of 71.1% of the services, another clear indication of Censys’s superior coverage.
The time-to-discovery metric further highlighted the stark difference between Censys and the competitor. On average, Censys discovered new services in about 12.3 hours across all ports, while the competitor took nearly six times longer, averaging around 70 hours. This is not just a marginal improvement; it is a demonstration of Censys’s ability to provide timely data, a crucial factor in the fast-paced realm of cybersecurity.
Our analysis also showed a striking difference in the distribution of discovery times. Censys discovery times were consistently quick, with a median of 8.9 hours, indicating a reliable and rapid detection capability. In contrast, the competitor’s times were more variable and averaged at 62.1 hours. This disparity is critical for threat hunters and security teams who rely on the most up-to-date information for their operations.
The Ground Truth for Global Internet Infrastructure
Our comprehensive benchmarking exercise not only demonstrated Censys’s superiority in rapid asset discovery but also affirmed our unwavering commitment to providing the most accurate and up-to-date set of internet intelligence. The foundation of the Censys Internet Intelligence Platform is our data and we want to be completely transparent about our data refresh frequency and our rigorous maintenance standards because we understand that security professionals have to trust their internet scanner.
Our proprietary internet scanning provides the data that powers Censys Search and Censys Exposure Management. This research proves that products are only as good as the data that powers them. What good is a tool that isn’t showing you the full picture, or worse, presenting outdated information? With Censys, you’re not just accessing a tool; you’re harnessing a continuously updated, comprehensive view of the internet. This means you can confidently make informed decisions, stay ahead of potential threats, and secure your digital assets with the highest level of precision.
The challenge to keep raising the bar continues and we accept — let us demonstrate how our industry-leading data will outperform any other vendor when it comes to providing the most complete, contextual, and up-to-date index of hosts and services on the internet.
Contact us for a demo or try Censys Search today to compare the results yourself!
