We scan the Internet (and the Dark Web) in a net-neutral manner. That means we scan every exposed assets and your View won't be limited to yours. We even scan the one you are not aware of...
Domain name based approach
We believe identifying assets based solely on IP addresses is an obsolete approach. We want every asset to be bound to a domain name. Better, it can be leveraged to pivot on an organization and find more associated domain names...and exposed assets.
We have data about every connected thing and we have the capability to perform an asset inventory. What is your next step? Build this inventory, and leverage our query language from the Alert API to receive information as soon as one of your exposed asset is at risk.
real numbers
Big Data, Fast
400+
ports scanned bi-monthly
3.0+ billion
DNS entries monthly
1.8+ billion
banners collected monthly
0.1 second
API response time
Avoid risks
Cut ransomware risks up-front
Find intrusion vectors before bad guys
Main initial access vectors are pretty much always the same: exposed RDP/VNC services, exposed VPN servers and...critical vulnerabilities on exposed assets. But more about that later... We perform protocol identification in a port number-agnostic approach and we also perform device classification. You want to list all your exposed RDP, VNC or VPNs? We have that information.
Identify most critical vulnerabilities
We have the same capabilities as attackers: identifying Internet exposed initial access vectors. Our vulnscan category of information has data about assets with critical vulnerabilities exploited to deploy ransomwares. This list is based on CISA Known Exploited Vulnerabilities.
Don't waste millions to recover
By using our solution, you will be able to create your asset inventory, find unknown assets belonging to your organization (or subcontractor), identify the risks they are exposed to and be alerted on critical vulnerabilities waiting to be exploited by cybercriminals...By being proactive, thanks to our solution -because we are scanning you in a continuous manner- you won't waste millions to recover.
Back to the future
Time-travel
24
24-month historical data
Along with our "classic" Internet (and Dark Web) scanning activities, we perform massive DNS resolutions. You can compare our solution with passive DNS data sources. Billions of DNS queries are made each month. We store 24 months of such historical data. Perfect to perform DNS enumeration starting by a single domain name.
7
Find assets as they were
We keep historical data for all our scans and data collection tasks. Within datascan category, you can go back to any time within the past 7 months. When a new threat comes up, you are able to dig in the past and perform Cyber Threat Intelligence investigations. Both in the clear & the Dark Web.
6
Ideal for forensic analysis
We read here and there that the average time to discover an intrusion is 6 months. What if you were able to see your compromised assets as they were in the past? Or maybe you want to have information on attackers IP addresses seen months ago? You will be able to do that and much more...
faq
Frequently asked questions.
Do you provide APIs to access the data?
Yes, that's our main customer use case. It is a REST API and we render JSON content.
What is your IPv4/IPv6 coverage?
We scan the full IPv4 address space (~3.8 billion unique IPs) and a portion of IPv6 address space (~360 million unique IPs). All our data is IPv4 & IPv6 compliant, we have the IPv6 field set to true or false to reflect which kind of data it is. For instance, resolver category of information is DNS resolution for both IPv6 & IPv4.
How many different ports are scanned?
We scan over than 420 ports, the complete list is available in our documentation. This list is regularly increased with new interesting ports. An interesting port is one that is seen as exploited in the wild by cybercriminals.
Do you scan both TCP/UDP ports?
We scan both TCP & UDP. For UDP, we send an application payload as this is the only way to get sure a service is listening. For instance, we send a DNS request to port 53/udp and if we get a DNS reply, the port is open and protocol identification states 'dns'.
What is the source IP distribution for your scans?
We use IP addresses located in different part of the world. We have scanners in Europe, Canada, the United States, Hong Kong & Singapore. Our goal is to have different views of exposed devices depending on the scanner location. We have a filter to render this view from a location or another.
Do you provide TLS certificate data?
Yes, both in datascan & ctl categories of information. CTL are Certificate Transparency logs, a major source of DNS-related information. In datascan, we negotiate TLS connections for specific ports and keep track of certificate data.
Do you provide information about identified operating systems/products/technologies?
Yes, for synscan, we provide OS fingerprint (Linux, Windows, SunOS, FreeBSD, ...). We also identify software and hardware technologies in datascan category. We identify roughly 20,000 software using the CPE normalization. Furthermore, in datascan, we perform CVE lookups to add unverified vulnerabilities. We only add CVEs when they are exploitable remotely, without authentication and with a CVSS score >= 7.5.
Do you provide information about identified misconfigurations and weaknesses?
Yes, we use tagging to identify weaknesses like open Web directories, software connected without authentication and many others. For instance, to identify open Web directories, you can filter with 'tag:opendir'. To identify exposed open databases, you can filter with 'tag:open device.class:database'.
Do you check the presence of vulnerabilities?
Yes, we check the presence (and absence) of critical vulnerabilities, those exploited by threat actors. The complete list of CVEs we identify in vulnscan increases over time, but we roughly check 110+ vulnerabilities today in a non-intrusive way. We develop our own checks based on public PoCs. We sanitize them as we only test vulnerabilities in a non-intrusive way.
Do you provide additional information on the IP address (hostname, passive DNS, ISP, providers, AS)?
Yes, we add geolocation to all our data, that includes the organization field which states the name of the datacenter where the asset is hosted. We also provide ASN information. We add reverse DNS and forward DNS to the data we collect too.
Do you provide raw response data?
Yes, we give the raw response data. Currently, we keep 16KB in this raw data field. This field can be used to perform full-text searches, like a classic Web search engine.
How many protocols are identified from the raw data?
We identify 70+ protocols today. Our goal is to enrich data to perform device classification and identification. Same is true for services we identify. We also scan complete URLs. As we perform protocol identification, we are able to find ssh services on other port than default 22, just for an example.
What is the refresh rate of your data?
The refresh rate depends on the category of information. For synscan and datascan, it is a bi-monthly refresh. For vulnscan, it is a weekly refresh. For threatlist, it is a daily refresh. Other categories are refreshed in a continuous way.
Do you provide historical data? Is it possible to pivot and identify previously observed data?
Yes, we have up to 24-month of historical data. You can pivot and identify previously observed data on any given field.
Do you provide a way to download in bulk the entire or extensive portions of the dataset?
Yes. For full datasets, we also sell raw data feeds access (please contact us at sales[at]onyphe{dot}io for the pricing). You can leverage the Export API for a subset of information we have or use Bulk APIs to send a massive number of requests.
