There is a category of online tool that quietly scans almost every device connected to the internet. It records what is running, which version, and whether anything looks out of date or misconfigured. Then it lets anyone search the results.
These are public vulnerability scanners. Security teams use them to find their own weak spots. Unfortunately, so do criminals. The same search that helps you protect your business can help an attacker pick their next target.
The good news is simple. You can use these tools on your own systems, and you can be alerted the moment something risky appears. If you get there first, you fix the problem before anyone can use it against you.
What is a public vulnerability scanner?
A public vulnerability scanner is a service that continuously scans the public internet and builds a searchable map of everything it finds. Think of it as a search engine, but instead of web pages it indexes devices, servers, and services.
For each one, it records useful details. The open ports. The software and version. The security certificate. Sometimes a screenshot of a login page. It then flags anything that matches a known weakness.
Tools like Shodan and Censys have indexed billions of these results. Anyone with an account can type in a query and see a list of matching systems anywhere in the world.
How they work, in plain English
You do not need the technical detail to understand the risk.
These scanners send harmless requests to internet addresses, the same way your browser connects to a website. The device on the other end answers with a small piece of information called a banner. The banner often reveals the software name and version.
The scanner stores that banner and checks it against a list of known vulnerabilities. If your server announces an old, unpatched version, the scanner can label it as exposed.
It repeats this billions of times across the whole internet, then refreshes the data regularly. The result is a live picture of what is exposed, where, and how.
Why security teams love them
Used properly, these tools are a gift for defenders.
Most businesses do not have a complete list of what they have connected to the internet. A forgotten test server, an old remote access tool, or a misconfigured camera can sit exposed for months. This is often called your attack surface, and it is usually bigger than people expect.
A public scanner shows you your attack surface from the outside, exactly as an attacker sees it. You learn what is exposed, whether it is patched, and whether anything new has appeared without your knowledge.
That visibility is the whole point of our vulnerability assessment work. You cannot protect what you do not know you have.
The other side: how threat actors use the very same tools
Here is the uncomfortable truth. Criminals use these scanners every single day.
Many threat actors pay for the higher subscription tiers. These plans unlock millions of scans and searches per month. With that access, an attacker can search the entire internet for a specific weakness in minutes.
When a new vulnerability is announced, attackers do not hunt for victims one by one. They run a single query and pull a ready made list of everyone who is exposed. This is not theory. As we noted in our cPanel and WHM article, around 1.5 million vulnerable instances of that one product were visible to public scanning at the time.
In effect, these services hand attackers a map. They show who is vulnerable and how. From there, it becomes a numbers game.
The tools used to break in
Finding the target is only the first step. Once an attacker has a list, they reach for well known intrusion tools to test each one.
We will not provide a how to guide, but business owners should understand the general categories at play:
- Credential tools that try common or leaked username and password combinations against exposed logins.
- Exploitation frameworks that bundle ready made code for known vulnerabilities.
- Mass scanning tools that probe thousands of targets quickly to confirm which ones are truly weak.
When a system is unpatched or misconfigured, this can be alarmingly easy. Some exposures, like a critical flaw with no password required, can be broken in seconds. That is why speed matters so much on the defensive side.
How AI is fast tracking the whole thing
The pace has changed sharply, and we have written about this trend before.
In our guide to penetration testing methods, we explained how AI now helps both defenders and attackers find flaws faster than ever. The same applies here.
Attackers can use AI to sift scanner results, prioritise the easiest targets, write exploit code, and run attacks at a scale that was simply not possible a few years ago. Their success rate climbs because the busywork is automated. As we said in our HTTP/2 Bomb article, last year’s defences may not hold this year.
The simple mistakes that create an opening
You do not need to be a high value target to be hit. You only need to be exposed. In most cases, the door is left open by a small, avoidable mistake.
The most common ones we see include:
- Remote access left open. A remote desktop or admin panel exposed to the whole internet is one of the first things attackers search for.
- Default or weak passwords. Devices shipped with a factory password that was never changed.
- Unpatched software. A web server, plugin, or control panel running an old version with a known flaw.
- Databases facing the internet. A database that should sit behind a firewall but is reachable by anyone.
- Forgotten systems. A test site, old server, or staging environment that nobody is watching.
- Misconfigured services. A setting changed during a quick fix that quietly exposed more than intended.
Any one of these can be found by a public scanner in moments. Once it is visible, it is only a matter of time before someone tries the handle. The question is whether you find it first.
A real example: when a website hack took down a business’s email
Here is how quickly a small exposure can turn into a big problem.
We worked with Enviroscope, a commercial and industrial building maintenance business. Attackers slipped hidden malicious code into a single theme file on their WordPress website. The code only ran for normal visitors, so it stayed quiet and avoided detection for some time.
The website compromise was bad enough on its own. The knock on effect was worse. It dragged down the reputation of the business domain. Spam filters took notice, and the domain was blacklisted by multiple services. Soon their everyday business emails were being blocked or pushed to junk, especially for clients on Microsoft platforms.
Here is the part that surprises most owners. Their email system was never actually breached. A problem on the website alone was enough to break their email. Invoices, quotes, and client replies stopped landing reliably for a fair while. For a business that runs on email, that is a serious hit.
Recovery took real time and effort. Our team removed the malicious code, confirmed the bad behaviour had stopped, then worked through DNS and email authentication to rebuild the domain’s reputation. Deliverability only started to recover once all of that was done. You can read the full story in our website malware and email reputation recovery case study.
The lesson is simple. The earlier you spot an exposure, the smaller the clean up. Monitoring is how you catch it on day one instead of week three.
Comparing the major public scanners
Several services dominate this space. Here is a plain summary of each, with the kind of business it suits.
- Shodan. The best known scanner, with a friendly dashboard, a built in monitoring tool, and low entry pricing. Strong all rounder. Ideal for small and medium businesses.
- Censys. Extremely accurate, with enterprise grade attack surface management and deep integrations. Powerful, but priced and built for larger security teams.
- FOFA. A large China based scanner with powerful search. Useful for researchers, though the interface and support suit technical users.
- ZoomEye. Another well established China based platform with broad coverage. Capable, but again aimed at a technical audience.
- BinaryEdge. Solid data and a clean API. Popular with security professionals who want to build their own tooling.
- Netlas. A newer entrant with strong search and good value. Growing fast and worth watching.
- ONYPHE. Focused on cyber defence and threat intelligence. Detailed, with a steeper learning curve.
- LeakIX. Specialises in finding exposed and leaking services. A useful niche tool rather than an all rounder.
- Criminal IP. A capable platform with AI driven attack surface management and clear alerts. A reasonable option for businesses, though pricier than Shodan to start.
Which is best for a small or medium business?
For most Australian SMBs, the answer is Shodan.
It strikes the right balance. The dashboard is approachable for non technical owners. The data is trusted across the industry. It includes a dedicated monitoring tool that watches your systems and alerts you to changes. And the cost of entry is low, often a one off membership fee rather than a large monthly bill. Prices do change, so check the current rate before you buy.
Censys and Criminal IP are excellent, but they are built and priced with bigger security teams in mind. For a lean business that wants visibility and alerts without complexity, Shodan is the practical choice.
How to set up Shodan to watch your own systems
Here is a straightforward way to monitor your public facing systems and get alerted if a weakness appears. One important rule first. Only scan and monitor systems that you own or are authorised to manage.
- Create your account. Sign up at shodan.io and choose a membership. This gives you access to Shodan Monitor and an API key.
- Find your public addresses. You need the public IP addresses or domain names your business exposes to the internet. Your IT provider or hosting company can confirm these if you are unsure.
- Open Shodan Monitor. Go to monitor.shodan.io and add your network range, individual IPs, or your domain. Shodan can track a whole domain for you.
- Turn on alerts. Enable triggers so you are notified when something changes. The most useful is the new service alert, which tells you whenever a new port or service appears that was not there before. You can also alert on known vulnerabilities.
- Set your notifications. Point alerts to an email address your team actually checks. More technical teams can route alerts into other tools.
- Review the dashboard. Within a few minutes you will see what you currently have exposed. Look for anything you did not expect, such as an open remote access port or an old software version.
- Act on what you find. Patch, close, or restrict anything risky. Then let the monitor keep watch so future changes reach you straight away.
That last point is the real value. Set it once, and you move from finding out about an exposure during a breach to finding out within hours, while you can still do something about it.
Check this now, and protect yourself from recent threats
This matters most for the exact issues we have been writing about.
If a public scanner can see that your server runs a vulnerable web server, you are exposed to threats like the HTTP/2 Bomb. If it can see an exposed control panel, you face risks like the cPanel and WHM flaw that the ACSC confirmed was being actively exploited in Australia.
Monitoring does not replace good security. It is the early warning system that sits on top of it. Combined with regular testing, as covered in our penetration testing methods guide, it gives you both a clear picture and a fast alert.
How Sentry Cyber can help
Setting up monitoring is simple in theory. Knowing what the alerts mean, and what to do about them, is where many businesses get stuck.
That is where we come in. Our vulnerability assessment maps your full external attack surface and tells you, in plain English, what is exposed and how urgent it is. Our security monitoring keeps watch so you are alerted the moment something changes. And our security consulting gives you ongoing expert guidance without the cost of a full time hire.
We do not hand you a jargon filled report and walk away. We help you understand your risk and fix what matters.
The bottom line
Public vulnerability scanners are a double edged sword. Attackers use them to find easy targets at scale, now faster than ever with AI. You can use the very same tools to find your weak spots first.
Exposure is rarely a question of if it will be found. It is a question of when, and who finds it first. Set up monitoring, get alerted, and act early.
Want help checking what the internet can already see about your business? Book a free discovery call with Sentry Cyber today. There is no pressure and no jargon, just clear advice.
FAQ
What is a public vulnerability scanner?
It is an online service that continuously scans the public internet and records what every connected device is running. It then flags anything that matches a known weakness. Security teams use these tools to check their own systems, and attackers use them to find targets.
Are these tools legal to use?
Yes. Scanning and searching public internet data is legal, and tools like Shodan and Censys are used widely by legitimate security teams. The important rule is to only actively monitor or test systems that you own or are authorised to manage.
Can attackers really see if my business is vulnerable?
Often, yes. If your systems expose old software, open admin panels, or weak settings, a public scanner can record it and an attacker can search for it. That is exactly why scanning your own systems first is so valuable.
Which scanner is best for a small business?
For most small and medium businesses, Shodan offers the best balance. It is approachable, trusted, includes a built in monitoring and alerting tool, and has a low cost of entry. Censys and Criminal IP are excellent but are aimed at larger teams.
How quickly can I check my exposure?
You can set up basic monitoring in well under an hour. Within minutes of adding your addresses to a tool like Shodan Monitor, you can see what you currently have exposed to the internet.
How does AI make this more dangerous?
AI lets attackers sift scanner results, prioritise the easiest targets, write exploit code, and run attacks at scale. This speeds up the whole process and raises their success rate, which is why fast detection on your side matters more than ever.
Does monitoring replace proper security?
No. Monitoring is an early warning system that sits on top of good security, not a substitute for it. The best results come from combining monitoring, regular patching, and periodic penetration testing.
Can Sentry Cyber set this up for me?
Yes. We can map your external attack surface, set up monitoring and alerts, and explain what each finding means in plain English. Contact us for a free discovery call to get started.