The post 30 Cybersecurity Search Engines Every Researcher Should Bookmark appeared first on Deepak Gupta's notebook.

Google indexes the open web. Security researchers need to find things the open web hides: exposed devices, leaked credentials, certificate transparency logs, S3 buckets misconfigured for the world to read, code snippets that include API keys. That work runs on a different layer of the internet, and it has its own search engines.

I keep this list because I find it useful, and because newer researchers ask me for it about once a month. Below are 30 search engines I have either used myself for security work or seen used effectively by people I trust. They are grouped by what they actually do, with the short, honest version of when each one is worth opening.

A note on ethics. Every tool on this list is legal. Many can be abused. Use them only against assets you own, assets you have written authorisation to test, or publicly indexed information about your own organisation. The same query that hardens a bug bounty programme will get you sued, fired, or arrested if you point it at someone else’s infrastructure without permission.

Internet-asset discovery (the Shodan family)

These engines crawl the internet and index what they find: open ports, banners, services, certificates. They are the foundation of attack-surface management and external recon.

• Shodan. The original. Indexes every device on the public internet by banner. Searches like port:5900 country:US return open VNC instances. Indispensable for external attack surface mapping.
• Censys. Shodan’s main competitor. Better TLS certificate coverage and often better-quality results on web services. The free tier is generous enough for serious research.
• ZoomEye. Chinese-built cyberspace search engine. Especially strong for industrial control system fingerprinting.
• Netlas. Newer entrant. Strong for full-content search of HTTP responses across the IPv4 space.
• BinaryEdge. Continuous internet scanning with a focus on threat-intel feeds and exposed databases.
• FullHunt. Attack-surface discovery with API-friendly export. Useful for organisations doing recurring perimeter audits.
• ONYPHE. Cyber defence search engine. Good for pivoting between IP-address and certificate data.
• GreyNoise. The inverse of the rest of this category: tells you what is scanning everyone (background internet noise) so you can filter alerts down to real threats.
• Fofa. Cyberspace mapping engine with strong web-service fingerprinting, particularly for Chinese infrastructure.

DNS, domain, and certificate intelligence

The DNS layer is where most reconnaissance starts. These tools surface subdomains, historical DNS, certificate issuance, and the relationships between them.

• DNSDumpster. Visual DNS reconnaissance. Returns A, MX, NS, TXT records plus a nice graphical map. The fastest way to see a target’s perimeter at a glance.
• SecurityTrails. Deep historical DNS data. “What did this domain’s DNS look like 18 months ago?” lives here.
• crt.sh. Searches Certificate Transparency logs. Every TLS certificate ever issued by a public CA is logged here, which makes it the cleanest way to enumerate subdomains a target has stood up.
• Hunter. Email-address discovery for a given domain. Useful for phishing-simulation programmes and for legitimate sales prospecting.

Credential and data-leak search

When account-takeover incidents land, these are the first places to check. They aggregate breach corpora, paste sites, and dark-web markets.

• Dehashed. Indexes leaked credentials from public breaches. Critical for incident response and credential-stuffing defence.
• IntelligenceX. Searches Tor, I2P, data leaks, paste sites, and domains. Broader than Dehashed; complementary.
• LeakIX. Search engine for publicly indexed open services and leaked information. Useful for finding what your own organisation has accidentally exposed.

Cloud and storage exposure

• GrayHatWarfare. Searches public S3, GCS, and Azure Blob buckets. Sobering tool. Run it against your own org’s bucket-naming convention as a regular hygiene check.

Vulnerabilities and exploits

The reference databases for known weaknesses. Use these to triage what is actually exploitable in your stack today.

• Exploit-DB. The canonical public exploit archive. Offensive Security maintains it. Every red-team engagement starts somewhere in here.
• Vulners. Aggregated vulnerability database. Strong API. Useful for vulnerability-management pipelines that need a single search interface across NVD, exploits, advisories, and bug-bounty disclosures.
• Packet Storm Security. Long-running archive of advisories, exploits, and tools. Worth a weekly scroll.

Threat-intelligence feeds

• Pulsedive. Free threat-intelligence search with community-contributed IoCs (indicators of compromise). Good entry point for analysts building their own playbooks.
• AlienVault OTX. Open Threat Exchange. Community-shared threat-intel pulses. Hit-or-miss quality, broad coverage.
• PolySwarm. Multi-engine file and URL scanning marketplace. Useful when you want a verdict from more than one antivirus engine.

Web content and history

• urlscan.io. Submits a URL, returns a full snapshot: screenshot, DOM, network requests, JavaScript hashes. Indispensable for phishing analysis.
• Wayback Machine. Internet Archive’s historical snapshot of the web. “What did this site look like before it was taken down?” lives here.
• PublicWWW. Source-code search across websites. Useful for finding sites running a specific tracker, a particular CDN, or a known-vulnerable JavaScript library.
• DorkSearch. A focused interface for advanced Google operator queries (“Google dorking”). Faster than building the queries by hand.

Source-code search

API keys, secrets, and configuration leaks frequently land in public Git repositories. These engines surface what is exposed.

• grep.app. Lightning-fast regex search across a half-million public Git repositories.
• SearchCode. Searches 75 billion lines of code across roughly 40 million projects. Broader than grep.app, slower.

Wireless and physical infrastructure

• Wigle. Crowdsourced database of wireless networks with geolocation. The reference data set for any wireless threat-modelling exercise.

How real investigations combine these

No single search engine answers a real research question. A typical workflow:

1. Start with the asset. Subdomain enumeration via crt.sh and SecurityTrails, then DNSDumpster to visualise.
2. Find the services. Pivot the discovered IPs through Shodan and Censys to see what is listening.
3. Check exposure. Cross-reference with GrayHatWarfare for misconfigured buckets, LeakIX for indexed services, and Hunter for staff emails.
4. Triage vulnerabilities. Map service banners against Exploit-DB and Vulners; check Packet Storm for fresh advisories.
5. Look for breach signal. Search Dehashed and IntelligenceX for credentials tied to discovered identities; check urlscan.io for phishing kits targeting the brand.
6. Confirm activity. GreyNoise filters out the constant background scanning; AlienVault OTX flags whether the IPs are in known malicious infrastructure.

That pattern, run carefully, is the engine behind most external attack-surface programmes, bug-bounty submissions, and DFIR pivots.

The essential ten if you only bookmark a few

If thirty is too many, here is the short list. Bookmark these and you can hold up most of a research workflow.

1. Shodan for internet-exposed device discovery
2. Censys for TLS-heavy reconnaissance
3. crt.sh for certificate transparency subdomain discovery
4. DNSDumpster for fast visual DNS recon
5. SecurityTrails for historical DNS
6. Dehashed for leaked credentials
7. urlscan.io for phishing and URL analysis
8. Exploit-DB for known exploit lookups
9. GrayHatWarfare for public-bucket exposure
10. grep.app for secret hunting in public code

Adjacent reading

These engines are the discovery layer. For the defensive side, my hashing series covers the cryptographic primitives that protect credentials at rest: password hashing, secure password storage, and the algorithm decision framework. For the identity-layer attacker view, see the CIAM security buyer’s guide.

FAQ

Is it legal to use these search engines?

Using the search engines themselves is legal in most jurisdictions. Acting on the data, scanning systems, harvesting credentials, or accessing exposed resources without authorisation is not. Stay within bug-bounty scope, written pentest authorisation, or your own infrastructure.

Which is the single most useful for an SMB security team?

Shodan, run monthly against your own IP ranges, will surface 80% of the external-exposure issues a small team needs to know about. Pair it with crt.sh to catch subdomains that were stood up without IT’s knowledge.

How do these compare to commercial attack-surface management (ASM) platforms?

Commercial ASM platforms (Tenable, Microsoft Defender EASM, Palo Alto Cortex Xpanse, Mandiant Attack Surface) bundle many of these data sources plus continuous monitoring, ticket integration, and risk scoring. For a small team or research project, the free engines are sufficient. For an enterprise with hundreds of acquired assets, an ASM tool pays back the spend.

Do most of these have free tiers, and are the free tiers useful?

Yes to both. Shodan, Censys, urlscan.io, crt.sh, DNSDumpster, GreyNoise, Dehashed (limited), and grep.app all have free tiers that handle real research work. Paid tiers add bulk export, API rate limits, and historical depth.

How often does this list change?

Roughly once a year. The category leaders (Shodan, Censys, crt.sh, Exploit-DB, Dehashed) are stable. New entrants (Netlas, FullHunt, LeakIX) have appeared in the last 2-3 years and earned their spots. Tools occasionally disappear (RIP, BinaryEdge’s earlier free tier).

*** This is a Security Bloggers Network syndicated blog from Deepak Gupta's notebook authored by Deepak Gupta. Read the original post at: https://guptadeepak.com/30-cybersecurity-search-engines-for-researchers/