Shodan is the world's first search engine for Internet-connected devices. It continuously crawls the public Internet to build a searchable database of servers, IoT devices, industrial control systems, routers, webcams, databases, and any other host that exposes a service. Shodan provides REST, Streaming, and Trends APIs along with on-demand scanning, network alerts, notifiers, DNS lookups, the InternetDB API, and the CVEDB vulnerability database. It is widely used for attack-surface management, security research, threat intelligence, vulnerability discovery, market research, and academic study of the Internet itself.
URL: Visit APIs.json URL
Run: Capabilities Using Naftiko
- Security, Search, Internet, Devices, IoT, Vulnerabilities, CVE, Attack Surface, Threat Intelligence, Reconnaissance, Network, DNS, Scanning, Public APIs
- Created: 2026-05-28
- Modified: 2026-05-30
The primary Shodan REST API exposes search methods, host lookups, on-demand scanning, network alerts, notifiers, the saved-query directory, DNS lookups, utility methods, account information, bulk data, and organization management. Auth is via the key query parameter.
Human URL: https://developer.shodan.io/api
- REST, Search, Host, Scanning, Alerts, Notifiers, DNS
- Documentation
- APIReference
- Authentication
- OpenAPI
- JSONSchema (Host)
- JSONSchema (Search Result)
- JSONSchema (Alert)
- JSONSchema (Notifier)
- JSONSchema (Scan)
- JSONStructure (Host)
- JSONStructure (Alert)
- JSON-LD
- Example (Host Lookup)
- Example (Search)
- Example (Scan Create)
- Example (Alert Create)
The Shodan Streaming API provides a real-time firehose of banner data as Shodan collects it. Filtered streams are available by ASN, country, port, and CVE. Output is either newline-separated JSON or Server-Sent Events.
Human URL: https://developer.shodan.io/api/stream
- Streaming, Real-Time, Firehose, SSE
- Documentation
- APIReference
- AsyncAPI
- OpenAPI
- JSONSchema (Banner)
- JSONStructure (Banner)
- Example (Banner)
Trends is the historical analytics API for Shodan, exposing breakdowns of historical scan results aggregated by facet (product, port, country, organization, etc.) by month. Access is Enterprise-only.
Human URL: https://developer.shodan.io/api/trends
- Trends, Analytics, Historical, Enterprise
The InternetDB API is a free, unauthenticated lookup service that returns the open ports, CPEs, hostnames, tags, and known CVEs for any IPv4 address. The dataset is refreshed once per week. Free for non-commercial use; commercial use requires an enterprise license.
Human URL: https://internetdb.shodan.io/
- InternetDB, Free, IP Lookup, Public
CVEDB is Shodan's open vulnerability database API. It provides CVE lookups, CPE-keyed vulnerability search, KEV filtering, EPSS ordering, and date-range queries. No API key required; updated daily. Free for non-commercial use.
Human URL: https://cvedb.shodan.io/
- CVE, Vulnerabilities, CPE, KEV, EPSS, Free
- Website
- DeveloperPortal
- Documentation
- APIReference
- Pricing
- Plans
- RateLimits
- SignUp
- Login
- Console
- Authentication
- GettingStarted
- Quickstart
- Tutorials
- KnowledgeCenter
- Glossary
- Support
- Blog
- StatusPage
- TermsOfService
- PrivacyPolicy
- Legal
- X
- YouTube
- GitHubOrganization
- GitHubRepository (shodan-python)
- GitHubRepository (shodan-developer-docs)
- GitHubRepository (shodan-ruby)
- GitHubRepository (shodan-perl)
- GitHubRepository (Shodan.NET)
- GitHubRepository (steampipe-plugin-shodan)
- CLI
- SDK - Python
- SDK - Ruby
- SDK - PHP
- SDK - C++
- SDK - C#
- SDK - C# (alt)
- SDK - Go
- SDK - Go (ns3777k)
- SDK - Haskell
- SDK - Java
- SDK - Node.js
- SDK - Perl
- SDK - PowerShell
- SDK - Rust
- SDK - Crystal
- Tools - Steampipe Plugin
- Tools - Shodan Monitor
- Tools - Shodan Maps
- Tools - Shodan Images
- Tools - Shodan Bulk Data
- Tools - Shodan Snippets
- Tools - MCP Server (BurtTheCoder)
- Tools - MCP Server (ADEOSec)
- Tools - MCP Server (Cyreslab-AI)
- Tools - MCP Server (Vorota-ai)
- Tools - MCP Server (mohdhaji87)
- SpectralRules
- Vocabulary
- FinOps
| Name | Description |
|---|---|
| Internet-Wide Device Search | Search billions of indexed banners from servers, routers, webcams, industrial control systems, and IoT devices using a powerful query language with facets and filters. |
| Host Information Lookup | Retrieve all known information for an IP including open ports, service banners, geolocation, ASN/ISP, hostnames, vulnerabilities, SSL/TLS certificates, and detected technologies. |
| On-Demand Scanning | Submit IPs, CIDR ranges, or netblocks for an on-demand crawl using scan credits. Enterprise plans can request Internet-wide scans for a specific port or protocol. |
| Network Alerts and Notifiers | Create alerts on monitored IP ranges that fire when new services, changes, vulnerabilities, or expirations are detected, with delivery via Slack, email, webhook, and other notifier providers. |
| DNS Lookup Suite | Forward, reverse, and full-domain DNS lookups including subdomain enumeration backed by Shodan's passive DNS database. |
| Streaming Firehose | Subscribe to real-time banner data filtered by ASN, country, port, or CVE for SIEMs, data lakes, and bespoke analytics pipelines. |
| Trends Analytics | Run faceted queries against the full historical scan database to analyze product adoption, regional exposure, and changes over time. |
| InternetDB Free Lookup | Open, key-free lookup that returns the open ports, CPEs, tags, and CVEs for any IPv4 address; refreshed weekly. |
| CVEDB Vulnerability Database | Open vulnerability lookup with CPE search, KEV filter, EPSS sorting, and date-range queries. |
| Bulk Data Exports | Enterprise-tier daily and on-demand bulk exports of Shodan's underlying datasets for offline analysis and warehousing. |
| Organization Management | Enterprise organization support for sharing credits and managing members through the API. |
| Saved Query Directory | Browse, search, and tag community-contributed Shodan queries covering common technologies, exposures, and devices. |
| Notifier Providers | Built-in notification provider integrations for Slack, email, Discord, Telegram, webhook, and more. |
| Name | Description |
|---|---|
| Attack Surface Management | Continuously monitor an organization's external attack surface for new services, configuration drift, and vulnerable software. |
| Vulnerability Intelligence | Quantify exposure to specific CVEs across the Internet or a defined customer footprint using CVEDB and the search/trends APIs. |
| Threat Hunting and OSINT | Pivot from IPs, certificates, banners, and ASNs to map adversary infrastructure and discover related hosts. |
| Security Research | Study the distribution of misconfigured services, exposed databases, and emerging IoT ecosystems across the public Internet. |
| Competitive and Market Research | Track adoption of products, web servers, cloud providers, and frameworks across regions and industries using Trends. |
| Regulatory and Compliance Reporting | Demonstrate visibility into externally exposed assets for frameworks that require attack-surface inventories. |
| Insurance Underwriting | Inform cyber-insurance scoring with externally observable evidence of exposed services, vulnerabilities, and hygiene. |
| Incident Response | Triage IPs observed in alerts against Shodan history to determine who they are and what services they expose. |
| Name | Description |
|---|---|
| Splunk | Shodan data is widely ingested into Splunk for security analytics via the streaming API and the Splunk add-on ecosystem. |
| Maltego | Shodan transforms for Maltego enable graph-based pivoting on banners, certificates, and IPs. |
| Slack | Notifier integration delivers alert events to Slack channels. |
| Notifier integration delivers alert events to mailboxes. | |
| Webhook | Notifier integration posts alert events to arbitrary HTTPS endpoints. |
| Discord | Notifier integration delivers alert events to Discord servers. |
| Telegram | Notifier integration delivers alert events to Telegram chats. |
| Steampipe | Official Steampipe plugin lets you query Shodan host, DNS, and exploit data using standard SQL. |
| Model Context Protocol | Multiple community MCP servers expose Shodan tools to AI assistants including Claude, Cursor, and VS Code. |
| Nmap | Shodan's CLI ships helpers to enrich Nmap scan output with Shodan-derived banner context. |
| Name | Description |
|---|---|
| Shodan Monitor | Hosted attack-surface monitoring product built on the network alerts and notifiers APIs. |
| Enterprise Data Feed | Real-time firehose and daily bulk data exports for SOCs, threat intelligence platforms, and academic researchers. |
| InternetDB | Free, unauthenticated host lookup designed for embedding into security tools and dashboards. |
| CVEDB | Free vulnerability database with KEV and EPSS metadata for prioritization workflows. |
| Internet-Wide Scanning | Enterprise-only capability to request a scan of the entire Internet for a specific port or protocol. |
Machine-readable API specifications organized by format.
- Shodan REST Host
- Shodan REST Banner
- Shodan REST Search Result
- Shodan REST Alert
- Shodan REST Notifier
- Shodan REST Scan
- Shodan Stream Banner
- Shodan Trends Result
- Shodan InternetDB Host
- Shodan CVEDB CVE
- Shodan CVEDB CPE
- REST Host Lookup
- REST Search
- REST Scan Create
- REST Alert Create
- Stream Banner
- Trends Search
- InternetDB Host
- CVEDB CVE Lookup
Naftiko capabilities organized as shared per-API definitions composed into customer-facing workflows.
- Shodan REST - 26 operations for search, host lookup, scanning, alerts, notifiers, DNS, and account management
- Shodan Streaming - 5 operations for the real-time banner firehose (full + ASN/country/port/CVE filters)
- Shodan InternetDB - 1 operation for the free unauthenticated IP lookup service
- Shodan CVEDB - 3 operations for CVE detail, CVE search, and CPE search
| Workflow | APIs Combined | Tools | Persona |
|---|---|---|---|
| Attack Surface Monitoring | REST + Streaming | 7 | Security Operations / Attack Surface Manager |
| Vulnerability Intelligence | CVEDB + REST + Streaming + InternetDB | 7 | Vulnerability Analyst / Threat Intel Team |
| Internet Asset Discovery | REST + InternetDB | 8 | Red Team / M&A Due Diligence / Third-Party Risk |
Commercial plans and pricing modeled as API Commons Plans 0.1.
- Shodan Plans & Pricing - Developer (free), Membership (one-time $49), Freelancer ($69/mo), Small Business ($359/mo), Corporate ($1,099/mo), Enterprise (custom)
Request-rate, concurrency, and quota policies modeled as API Commons Rate Limits 0.1.
- Shodan Rate Limits - REST request cap, per-tier query/scan credit quotas, monitored-IP allotments, plus CVEDB/InternetDB fair-use policy
Billing surface aligned to the FinOps Framework / FOCUS data spec.
- Shodan FinOps - FOCUS-mapped subscription + metered allotment model for query credits, scan credits, monitored IPs, REST requests, and streaming connection seconds
- Shodan Domain Vocabulary - 39 terms spanning search/scanning/alerting concepts, banner/host/CVE/CPE data primitives, credit accounting, and notifier delivery channels
- Shodan Ruleset - 11 Spectral rules enforcing HTTPS-only servers,
key-named apiKey scheme, Title Case summaries, mandatory tags / operationIds / descriptions, and required 200 responses
FN: Kin Lane
Email: kin@apievangelist.com